Header background

Tech Transforms podcast: SBOMs and the mission for federal government cybersecurity – down to the software supply chain

On the Tech Transforms podcast, sponsored by Dynatrace, we talk to some of the most prominent influencers shaping critical government technology decisions.

On Episode 73 of the Tech Transforms podcast, MITRE’s Tracy Bannon and I sat down with Allan Friedman, a senior advisor and strategist at the Cybersecurity and Infrastructure Security Agency (CISA). We chatted about federal cybersecurity and Friedman’s mission to make the software bill of materials (SBOM) a boring, expected part of software delivery to the federal government.

As Friedman points out, the concept of SBOMs is nothing new. In fact, they have been around and discussed for the last 20 years. However, we have not yet achieved widespread implementation of SBOMs, even in federal supply chains.

Friedman shared how he reminds himself of the essential, obvious nature of his mission. “I keep a Twinkie on my desk. It’s a delightful metaphor because everyone always chuckles about the Twinkie, but it comes with a list of ingredients,” he said. “It’s kind of wild that we expect more transparency from a nonbiodegradable snack than we do from the software that runs our organizations, our critical infrastructure, and our national security systems.”

Driving SBOM adoption to be a federal cybersecurity norm

When Executive Order 14028, “Improving the Nation’s Cybersecurity,” was issued in May 2021, it mandated the use of SBOMs but didn’t define what they were. After pushing for a faster timeline, the White House told the government it had 60 days to issue a minimum definition of SBOMs. In this episode, Friedman explained the challenges with this process, namely balancing perspectives from across government and industry. He also emphasized the importance of the public and private sectors having a shared understanding of what SBOMs are as adoption spreads.

This is critical because, as Friedman noted, the call for SBOMs was and is not without concerns. Corporations and suppliers worry that publishing SBOMs may reveal proprietary information or be open software to attacks. He highlighted that the SBOMs do not need to be public; they can be shared directly and privately with the customer purchasing the software instead.

In this episode, we also discussed SBOMs in terms of the larger Secure by Design initiative. Secure by Design aims to make software inherently more secure out of the box. Friedman’s work on widespread SBOM implementation is a key component of that.

“How do we make sure that the things that we’re plugging in today aren’t insecure out of the box?” he asked. “There are a number of different pieces in that model, by design and default. SBOM is one of them.”

Episode 73 of the Tech Transforms podcast
This episode of Tech Transforms discusses SBOMs and secure by design principles being from the perspective of the U.S. government.

Tune in to the full episode for more insights from CISA senior advisor and strategist, Allan Friedman.

Follow the Tech Transforms podcast

Follow Tech Transforms on Twitter, LinkedIn, Instagram, and Facebook to get the latest updates on new episodes! Listen and subscribe on our website, or your favorite podcast platform, and leave us a review!