All software vendors and security engineering teams need to be familiar with these requirements to sell software in these markets.
Biden Administration
Executive Order 14028
"To keep pace with today’s dynamic and increasingly sophisticated cyber threat environment, the Federal Government must take action to rapidly improve the security and integrity of the software supply chain..."
National Cybersecurity Strategy Implementation Plan
"Achieving the President’s cybersecurity vision requires coordinated action across the United States Government and American society. The National Cybersecurity Strategy Implementation Plan is a roadmap for this effort."
Requirements are cascading down to government organizations, standards bodies, and commercial compliance regimes
NIST
NIST SP 800-161: Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations
"This publication provides guidance to organizations on identifying, assessing, and mitigating cybersecurity risks throughout the supply chain at all levels of their organizations. The publication integrates cybersecurity supply chain risk management (C-SCRM) into risk management activities"
"4. a. Software Bill of Materials
Because vulnerability management is a critical part of a device’s security risk management processes, an SBOM or an equivalent capability should be maintained as part of the device’s configuration management, be regularly updated to reflect any changes to the software"
FDA-2023-D-1030: Cybersecurity in Medical Devices: Refuse to Accept Policy for Cyber Devices and Related Systems
"A person who submits an application [...] meets the definition of a cyber device under this section shall include such information as [FDA] may require to ensure that such cyber device meets the cybersecurity requirements under subsection (b).
(3) provide to the Secretary a software bill of materials, including commercial, open-source, and off-the-shelf software components"
M-22-18: Enhancing the Security of the Software Supply Chain through Secure Software Development Practices
"2.b SBOMs must be generated in one of the data formats defined in the National Telecommunications and Information Administration (NTIA) report “The Minimum Elements for a Software Bill of Materials (SBOM)”
Requirement 6: Develop and Maintain Secure Systems and Software
"6.3.2. An inventory of bespoke and custom software, and third-party software components incorporated into bespoke and custom software is maintained to facilitate vulnerability and patch management."
"The strategy aims to build collective capabilities to respond to major cyberattacks. It also outlines plans to work with partners around the world to ensure international security and stability in cyberspace."
Requirements are cascading down to government organizations and proposed legislation
DORA
Regulation 2022/2554: Digital Operational Resilience for the Financial Sector
"Article 13 1. Financial entities shall have in place capabilities and staff to gather information on vulnerabilities and cyber threats, ICT-related incidents, in particular cyber-attacks, and analyse the impact they are likely to have on their digital operational resilience."
Regulation 2022/0272: Horizontal Cybersecurity Requirements for Products with Digital Elements
"(77) In order to facilitate vulnerability analysis, manufacturers should identify and document components contained in the products with digital elements, including by drawing up an SBOM"
"[The goal is to] provide practical guidance on how an organisation can protect their systems and data from cyber threats. These cyber security guidelines cover governance, physical security, personnel security, and information and communications technology security matters."
