SBOM has changed the entire C-SCRM narrative by bringing a more product-centric focus to supply chain risk controls
SAG-PM™ version 1.1.2 is the first commercial, patent pending (16/933161), Cyber Supply Chain Risk Management (C-SCRM) product to satisfy President Biden’s, May 12, Cybersecurity Executive Order (EO), 14028 requirements for NTIA Software Bill of Materials (SBOM) minimum elements using the “primary component” method for product identification, and “critical software”, defined by NIST. Federal agencies and other entities that are subject to EO 14028, can download and install SAG-PM™ today, to start implementing software supply chain cybersecurity protections, proactively, before any attempt to install a software product, preventing the installation of ransomware and other forms of malware. SAG-PM™ has been designed to meet all government SBOM cybersecurity requirements contained in section 4, Enhancing Software Supply Chain Security, of EO 14028, and NTIA’s minimum SBOM elements requirement. The introduction of SBOM has changed the entire C-SCRM narrative from being primarily vendor-centric to being both vendor and product-centric, vastly improving cybersecurity protections within the software supply chain.
The Software Assurance Guardian™ Community Trust Registry SAG-CTR™ has been tightly integrated within this version of SAG-PM™, enabling REA customers to view the list of trusting parties that have registered their trust in a particular software product and digital signature. REA customers use SAG-CTR™ to verify the software supplier identity and an authorized signing party assigned by the software supplier, during a C-SCRM risk assessment. SAG-CTR™ addresses a known issue with existing digital signature verification practices that prevents software customers from being able to verify the trust relationship between a software object supplier and the signing party identified in a digital signature. SAG-CTR™ also addresses a known flaw in NERC’s ERO endorsed cybersecurity guidelines for software source supplier verification, enabling Electric utilities and other FERC jurisdictional entities to conduct a proper verification to comply with the NERC CIP-010-3 R1, 1.6.1 verification requirements for software source suppliers.
REA is also announcing availability of the SAG-STAR™ program, which is designed to acknowledge software products that have achieved a critical mass of “trust declarations” that have been registered by REA customers in SAG-CTR™. Software vendors, whose software products meet all SAG-STAR™ requirements are authorized to proudly display the SAG-STAR™ emblem, to indicate the high level of community trust for a product, within their customer base.
With this product release, REA is announcing its support for C-SCRM SBOM solutions across other industries, including Healthcare, Telecommunications, Finance, Insurance, Manufacturing, Public Utilities, non-Profits and Governmental agencies in addition to the Energy industry. “Executive Order 14028 mandates supply chain practices that are applicable across multiple industries. By aligning SAG-PM to address requirements in the Executive Order, we are now able to offer an “industry agnostic” C-SCRM SBOM solution for the software supply chain”, stated Dick Brooks, REA’s Lead software engineer for SAG-PM™. REA applies “Secure by Design” principles in all of its software development, operations and business practices.
Never trust software, always verify and report! ™
Reliable Energy Analytics LLC
email us here
Source: EIN Presswire