Browse > Article
http://dx.doi.org/10.14400/JDC.2022.20.2.009

A Study on the Software Supply Chain Security Policy for the Strengthening of Cybersecurity: Based on SBOM Policy Cases  

Son, Hyo-Hyun (National Security Research Institute)
Kim, Dong-Hee (National Security Research Institute)
Kim, So-Jeong (National Security Research Institute)
Publication Information
Journal of Digital Convergence / v.20, no.2, 2022 , pp. 9-20 More about this Journal
Abstract
Supply chain attacks target critical infrastructure, causing large amounts of damage and evolving into a threat to public safety and national security. Accordingly, when establishing cybersecurity strategies and policies, supply chain risk management is specified to enhance security, and the US Biden administration recently issued the Executive Order on Improving the Nation's Cybersecurity, SBOM was mentioned as part of the guidelines for strengthening software supply chain security. If the government mandates SBOM and uses it as a security verification tool for supply chains, it can be affected by the domestic procurement system in the future and can be referenced when establishing a security system for domestic supply chains according to the progress of policy implementation. Accordingly, in this paper, countries that are promoting the SBOM policy as a way to strengthen the security of the software supply chain were selected and analyzed with a focus on related cases. In addition, through comparison and analysis of foreign SBOM policy trends, methods for using domestic SBOM in terms of technology, policy, and law were considered. As the value of using SBOM as a supply chain integrity/transparency verification tool is expected in the future, it is necessary to continuously identify trends in the establishment of international standardization and policy development for SBOM and study the standard format.
Keywords
Cybersecurity; Supply Chain Security; Software Supply Chain Security; Software Bill of Material; SBOM;
Citations & Related Records
연도 인용수 순위
  • Reference
1 NTIA. (2021). Healthcare Delivery Organization (HDO) Software Bill of Materials (SBOM) Proof of Concept (PoC) 2.0 Quick Start Guide V1.2. Washington D.C. : NTIA.
2 NTIA. (2021). The Minimum Elements For a Software Bill of Materials(SBOM). Washington D.C. : NTIA.
3 C. Skouloudi, A. Malatras, R. Naydenov & G. Dede. (2020). Guidelines for Securing the Internet of Things. ENISA. https://enisa.europa.eu/publications/guidelines-for-securing-the-internet-of-things
4 MOIS & KISA. (2019). Development Security Guide for E-Government SW Development and Operators. Sejong & Naju : MOIS & KISA.
5 Open Web Application Security Project(OWASP). (2001). OWASP CycloneDX. OWASP Foundation. https://owasp.org/www-project-cyclonedx
6 B. Riel, S. Kuijpers & R. Koning. (2021). Using the Software Bill of Materials for Enhancing Cybersecurity. National Cyber Security Centre(NCSC). https://english.ncsc.nl/publications/publications/2021/february/4/using-the-software-bill-of-materials-forenhancing-cybersecurity
7 MOIS. (2021). Guidelines for establishment and operation of information systems for administrative and public institutions. Sejong : MOIS.
8 National Telecommunications and Information Administration(NTIA). (2021). Framing Software .Common Software Bill of Materials(SBOM) - Second Edition. Washington D.C. : NTIA.
9 National Institute of Standards and Technology(NIST). (2018). Software Identification(SWID) Tagging. NIST. https://csrc.nist.gov/projects/Software-IdentificationSWID
10 ISO/IEC. (2015). ISO/IEC 19770-2 Information technology-IT asset management-Part2:Software identification tag. ISO. https://iso.org/standard/65666.html/
11 CycloneDX. (2017). CycloneDX Overview. CycloneDX. https://cyclonedx.org
12 G. Shea. (2021). A Software Bill of Material Is Critical for Comprehensive Risk Management. Foundation for Defense of Democracies(FDD). https://fdd.org/analysis/2021/09/29/a-software-bill-of-materials-is-critical-for-comprehensive-risk-management
13 Executive Office of the President of U.S. (2021). Improving of Nation's Cybersecurity (Executive Order 14028 of May 12, 2021).
14 NTIA. (2019). Roles and Benefits for SBOM Across the Supply Chain. Washington D.C. : NTIA.
15 The Linux Foundation Projects, (2010). The Software Package Data Exchange. SPDX. https://spdx/dev
16 NTIA. (2019). Survey of Existing SBOM Formats and Standards. Washington D.C. : NTIA.