NIST has published its definition of “critical software” as directed by Biden’s cybersecurity executive order: identifying applications that run with elevated privileges or control a company’s computing infrastructure, and the software libraries on which they depend. The extent to which such libraries should be included in the National Telecommunications and Information Administration’s “software bills of materials” requirements has become a point of contention.
The U.S. Chamber of Commerce and the Information Technology Industry Council have asked for flexibility, especially on how deep an SBOM should be required to go in describing its transitive dependencies, arguing this could place a burden on developers. However Representative Jim Langevin (D-RI), chair of the House Armed Services Cybersecurity Subcommittee, has asked NTIA to refrain from such considerations, blaming the government’s cybersecurity problem in part on a reluctance to invest in software security.
Source: