Improve Acquisition Cybersecurity Risk Using the Acquisition Security Framework and SBOM Risk Framework

Abstract

Increasingly, complex, software-intensive systems rely on software from third parties. However, recent events, such as MoveIT, SolarWinds®, and Log4j™ (Liu, 2021), demonstrate the profound cybersecurity consequences of lax third-party component management. Too often, these components are unknown, and suppliers are only beginning to be incentivized to consider the risk their products pose. For their part, acquirers remain primarily focused on cost and schedule. To help manage these challenges, and to deliver a secure-by-design outcome, the Carnegie Mellon University Software Engineering Institute (SEI) developed the Acquisition Security Framework (ASF). The ASF describes practices needed across the supply chain to reduce risk gaps. In a derivative effort, the SEI also developed the Software Bills of Materials (SBOM) Framework, a set of SBOM practices and process for managing risk. Building and using SBOM requires heightened collaboration between suppliers and acquirers. Achieving effective SBOM results requires planning, tooling, trained staff, measurement, and monitoring, because technology and its use is always changing. Information available from an SBOM can offer insights into the challenges faced by the groups engaged in managing a system. This paper describes both frameworks and the opportunities for improving acquisition cybersecurity risk provided by each.