A NIST C-SCRM solution, available now, for software vendors and government agencies working on Executive Order 14028 implementations due August 2022.

WESTFIELD, MA, USA, February 1, 2022 /EINPresswire.com/ -- Reliable Energy Analytics, LLC (REA™) is pleased to announce the commercial release of SAG-PM™ version 1.1.8, effective February 1, 2022.

The May 12, 2021 Cybersecurity Executive Order (EO), 14028, instructs government agencies to implement software supply chain risk management functions to prevent another Solarwinds type of attack. The National Institute of Standards and Technology (NIST) has been selected to define the specific requirements and guidelines to help government agencies implement the executive order. NIST publication SP 800-161, Appendix F, describes the EO 14028 implementation guidelines that government entities will apply to implement the EO. The EO calls on NIST to define guidelines for Software Bill of Materials (SBOM) and software vulnerability reporting, i.e. SBOM Vulnerability Disclosure Reports (SBOM VDR) among other requirements to conduct a comprehensive C-SCRM risk assessment. Software vendors will need to supply their government contracting officers with both an SBOM and Vulnerability Report in order to comply with EO 14028 requirements.

SAG-PM™ version 1.1.8, released on February 1, 2022, provides both software vendors and government agencies with the tools needed generate and process NTIA compliant SBOM’s and Vulnerability Reports, using the open-source SBOM Vulnerability Disclosure Report format (SBOM VDR). Software vendors use SAG-PM™ to create an SBOM in NTIA SPDX format, compliant with EO 14028, for legacy applications based on the inputs used to produce a software installation package. Once the SBOM is created, SAG-PM™ can produce a baseline SBOM VDR, which a software vendor analyzes and updates to address any reported vulnerabilities affecting their software product or components listed in a product SBOM. Once the SBOM VDR is complete and all reported vulnerabilities have been resolved by the software vendor a software package is ready for release to customers along with the SBOM and SBOM VDR.

The SBOM VDR serves as a virtual “CARFAX™” for software products listing all of the known issues and vulnerabilities that have been reported against a software product and its embedded components, starting on day one, upon product release, and continues to be updated throughout the products lifecycle, just like a “CARFAX™”, but for software. Software customers implement a daily monitoring routine to check the SBOM VDR for each software product installed in their ecosystem as a method of early risk detection and rapid mitigation response using REA’s Software Rapid Response Assessment™ (SRRA™) methodologies built into SAG-PM™ and the SBOM VDR.

REA is also pleased to announce the release of a new training video showing how to use SAG-PM™ to conduct a comprehensive NIST compliant C-SCRM risk assessment for EO 14028, produced by REA's Co-Founder, Joanne Brooks.

SAG-PM™ gives government agencies and their software vendor partners the tools needed, today, to implement and comply with EO 14028 following NIST guidelines defining NTIA complaint SBOM’s and vulnerability reporting. Government preparation for EO 14028 implementation has begun, in order to meet an August 2022 effective date. The Center for Medicare and Medicaid Services (CMS) within the Department of Health and Human Services issued a request for information on January 28, 2022 titled “CMS Supply Chain Risk Management (SCRM) including Cyber-SCRM Sources Sought”, Notice ID: CMS-221166 seeking to identify software vendors and service providers that can implement NIST C-SCRM guidelines and requirements for EO 14028. REA is preparing to file a response to this RFI, due on February 11, 2022 and is open to partnering opportunities with parties planning to submit a response to CMS.

Never trust software, always verify and report!™

CARFAX is a registered trademark of CARFAX, Inc.

Dick Brooks
Reliable Energy Analytics LLC
+1 978-696-1788
email us here

Legal Disclaimer:

EIN Presswire provides this news content "as is" without warranty of any kind. We do not accept any responsibility or liability for the accuracy, content, images, videos, licenses, completeness, legality, or reliability of the information contained in this article. If you have any complaints or copyright issues related to this article, kindly contact the author above.