Please use this identifier to cite or link to this item:
https://dair.nps.edu/handle/123456789/5075
Title: | Improve Acquisition Cybersecurity Risk Using the Acquisition Security Framework and SBOM Risk Framework |
Authors: | Michael Bandor, Charles M. Wallen Carol Woody, Christopher Alberts |
Keywords: | cybersecurity SBOM supply chain risk engineering risk |
Issue Date: | 1-May-2024 |
Publisher: | Acquisition Research Program |
Citation: | APA |
Series/Report no.: | Acquisition Management;SYM-AM-24-031 |
Abstract: | Increasingly, complex, software-intensive systems rely on software from third parties. However, recent events, such as MoveIT, SolarWinds®, and Log4j™ (Liu, 2021), demonstrate the profound cybersecurity consequences of lax third-party component management. Too often, these components are unknown, and suppliers are only beginning to be incentivized to consider the risk their products pose. For their part, acquirers remain primarily focused on cost and schedule. To help manage these challenges, and to deliver a secure-by-design outcome, the Carnegie Mellon University Software Engineering Institute (SEI) developed the Acquisition Security Framework (ASF). The ASF describes practices needed across the supply chain to reduce risk gaps. In a derivative effort, the SEI also developed the Software Bills of Materials (SBOM) Framework, a set of SBOM practices and process for managing risk. Building and using SBOM requires heightened collaboration between suppliers and acquirers. Achieving effective SBOM results requires planning, tooling, trained staff, measurement, and monitoring, because technology and its use is always changing. Information available from an SBOM can offer insights into the challenges faced by the groups engaged in managing a system. This paper describes both frameworks and the opportunities for improving acquisition cybersecurity risk provided by each. |
Description: | Proceedings paper |
URI: | https://dair.nps.edu/handle/123456789/5075 |
Appears in Collections: | Annual Acquisition Research Symposium Proceedings & Presentations |
Files in This Item:
File | Description | Size | Format | |
---|---|---|---|---|
SYM-AM-24-031.pdf | 585.05 kB | Adobe PDF | View/Open |
Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.