Software Assurance Guardian™ (SAG™) Point Man™ (SAG-PM™)

---

[UPDATE 01/02/2023] REA is pleased to announce a new, free to use public service that provides software consumers access to software trust scores, called a SAGScore™ for apps in app stores and other applications available from the Internet. A SAGScore™ is conceptually similar to a FICO score, but uses criteria and methods specific to assessing software supply chain risk and the trustworthiness of software. More details are available online in this article.

[UPDATE 11/05/2022] The IETF Supply Chain Integrity, Transparency and Trust (SCITT) work group is meeting in London this week to discuss the need for a "TRUSTED REGISTRY" for software objects and other artifacts, identified in the official SCITT use case document.

[UPDATE 09/28/2022] SAG-PM version 1.2 was released today with support for CycloneDX version 1.4 and SPDX Version 2.3. This release addresses the requirements outlined in OMB memo M-22-18, released on September 14, 2022, to address software supply chain requirements contained in Executive Order 14028 following NIST recommendations.  An open-source, free to use Vendor Response File is used to give Federal Procurement Officer an automated, machine-readable method to acquire and categorize SBOM, self-attestation letters, NIST Vulnerability Disclosure Reports (VDR) and other requirements of M-22-18. 

[UPDATE 07/08/2022] A SAG-PM™ V 1.1.8 presentation is now available online describing how the SAG patent, US11,374,961, methods, processes and criteria, may be used to bring visibility of trustworthiness to APP stores.

[UPDATE 3/11/2022] SAG-PM™ version 1.1.8 is now available with even broader support for SBOM vulnerability reporting, including "CARFAX for software" concepts SBOM VDR and CycloneDX VEX, and proven integration with 3rd party SBOM repositories, such as Jitsuin RKVST. 

[UPDATE 1/11/2022]  The Software Assurance Guardian™ (SAG™) Point Man™ (SAG-PM™)  version 1.1.7 release is the most advanced commercial platform  available to perform Software Rapid Risk Assessment™ (SRRA™) methods  based on the open-source, free to use, SBOM Vulnerability Disclosure Report (VDR) XML schema, version 1.1.7.  
 

The May 12, 2021, Cybersecurity Executive Order, 14028, which takes  effect in August 2022, requires software vendors to provide Federal  Agencies with an SBOM and notification of vulnerabilities. Federal  agencies use the SBOM and VDR as part of a risk assessment process  defined by NIST in SP 800-161 Appendix F. Federal agencies, and other  software consumers use SAG-PM™ version 1.1.7 to automate software risk assessments,  determining software risks within installed software products within  seconds using the SRRA™ methods implemented in SAG-PM™. 

[UPDATE 12/17/2021]: SAG-PM™ Version 1.1.6 was released on December 1st with support for NIST Guidance contained in SP 800-161 R2 Appendix F, which provides government agencies with implementation guidance to meet Executive Order 14028 requirements. This version adds JSON support for both SPDX and CycloneDX formats and a new "touchless" method to add vendor products to the SAG-PM™ database. Consumers rely entirely on software vendors to provide all of the information and data needed to implement a NIST compliant risk assessment pursuant to Executive Order 14028. SAG-PM™ also helps software vendors prepare for Executive Order 14028 by enabling the construction of SBOM's for legacy applications and by providing a "baseline" Vulnerability Disclosure Report based on SBOM contents.

 Software customers and government agencies can begin to prepare now to perform a NIST compliant risk assessment using the combination of vendor supplied SBOM and Vulnerability disclosure data to meet the Executive Order 14028 deadlines in 2022. 

[UPDATE 11/7/2021] : SAG-PM 1.1.5™ is now available containing full support for the open source, free to use, Vendor Response File (VRF) and Vulnerability  Disclosure Report (VDR) file formats to help companies comply with legislation making its way through Congress, H.R. 4611 Software consumers use SAG-PM™ to protect themselves from malicious software, such as ransomware, by performing a proactive risk assessment on a software package before any attempt to install. Software vendors use SAG-PM™ to protect themselves from harmful software that may be used in their operations or during product development to detect risk in embedded software components and generate a baseline Vulnerability Disclosure Report. This version of SAG-PM™ also implements a complete suite of evidence collection functions that are needed to meet NIST C-SCRM and NATF Security Assessment Model requirements. 

UPDATE: The production release of SAG-PM™ Version 1.1.3 is now available. This release implements    supported Software Bill of Materials (SBOM) formats for both software vendors and consumers.  Software vendors can now use SAG-PM™ to create SBOM's in SPDX format for distribution to their customers, while simultaneously performing a risk assessment, before distributing their software products commercially. SAG-PM™ continues to support both SPDX and CycloneDX SBOM formats for software consumers to use in conducting a C-SCRM software risk assessment. This release of SAG-PM™  satisfies the key "Software Bill of Materials" (SBOM) requirements of President Biden's Cybersecurity Executive Order issued on 5/12/2021 and the risk management controls for critical infrastructure industrial control systems identified in the  Cybersecurity Memorandum issued on 7/28/2021.  A consumer's perspective of SBOM's is available here. 

[UPDATE 9/28/2021] REA has taken a significant step to help software vendors and software consumers easily implement NIST compliant Cyber Supply Chain Risk Management (C-SCRM) best practice with NTIA supported SBOM required for Executive Order 14028, by open-sourcing its Vendor Response XML File format/schema to meet NATF software supply chain vetting requirements for NERC CIP-013-1 and CIP-010-3 standards. This consistent, easy to use,  Response File format helps both customers and vendors by eliminating the varied, and numerous supply chain questionnaires that software vendors are receiving. A software consumer downloads the vendors XML Response File in the standard format provided by REA and can store the information provided in an evidence locker, for use during NERC audits and during vendor due diligence proceedings and contract negotiations. The open source , free to use, XML Response File schema, an example Vendor Response XML and a Known Vulnerability Disclosure statement are all available on GitHub  

The 1.1.2 release of SAG-PM™ also introduces SAG-CTR™, The Software Assurance Guardian™ (SAG™) Community Trust Registry (SAG-CTR™), where parties declare their trust in a software package and digital signature combination where other community members can view these trust declarations. SAG-CTR™ data is a key contributing factor  in the statistically calculated SAGScore™, indicating a level of Trustworthiness. Software products that achieve a critical mass of community trust declarations in SAG-CTR™ are eligible to proudly display the "SAG-STAR™" emblem, indicating a high level of community trust in their product.

An Energy Central PowerTalk session on 5/6/2021  is now available on demand which includes a demonstration of the SAG-PM ™  software supply risk assessment 7 step process and evidence file reporting with an emphasis on overcoming known flaws in NERC ERO approved guidance to verify software source identification and integrity verification for NERC CIP-010-3 Part 1.6 regulations.  

A SAG-PM ™ presentation that was delivered at the OWASP BSides CT meeting on 11/14/2020,  is now available online that describes the patented 7-step software supply chain risk assessment a video recording of the event is also available

 An Energy Central Powersession was conducted on 8/12/2020 that goes into detail of the SAG-PM™ software supply chain risk assessment process. Now available on demand

The patented (US11,374,961)  Software Assurance Guardian™ product line has been updated with the first of its kind  SAG Point Man™ software application, also known as SAG-PM™. SAG-PM™ has been developed to help protect companies from vulnerable software objects and untrustworthy parties that may have compromised the integrity of  a  software supply chain, preventing the installation of bad, harmful software into an operational system. SAG-PM performs seven critical investigative steps on a software object's installation file as part of a comprehensive software supply chain risk assessment process that calculates a SAGScore™, indicating a level of Trustworthiness for the software object itself and parties serving roles within the software supply  chain. These seven steps implement best practices to augment NERC CIP-010-3 using the NIST Cybersecurity Framework V1.1, as suggested by FERC in its 6/18/2020 cybersecurity White Paper, from each of their respective, ID.RA, ID.RM and ID.SC NIST functions:

• Source Server Location and SSL Certificate Validation against "accredited Certificate Authorities" and Software Source vendor supplied information
• Perform a provenance check by evaluating the path used to acquire a software object for possible man-in-the-middle attacks, blacklisted sites and geographic locations that may belong to entities hostile to the United States
• Introspection of a software object's installation package resulting in a Software Bill of Materials (SBOM) that is used to identify potential risk, in order to determine the trustworthiness of a software object
•  Extensive vulnerability scan using known and trustworthy Vulnerability Databases, such as NIST NVD
• Verification of Vendor credentials and processes to ensure that each vendor in the supply chain has been properly vetted and approved as implementing trustworthy business practices and control procedures to protect against any type of taint that may impact a software objects trustworthiness
• Verification of digitally signed software installation packages to ensure that no changes have occurred since the object was signed. Verifies the trust relationship between an SBOM Software Supplier and a party authorized by the software supplier to apply a digital signature on a software package on their behalf. 
• Perform a comprehensive malware scan of the software installation package using Microsoft Defender, as the default scanner and the suite of VirusTotal  malware scanning service as an option

The process concludes with a statistically calculated trustworthiness score, called a  SAGScore™, indicating a trustworthiness level based on the results of these seven investigative steps. All results are stored in a an evidence file for posterity and may be presented to auditors or forensic personnel. A proof of verification record is also generated, for insertion into a Change Management System, as required by NERC CIP-010-3 R1, Part 1.6 for evidence of compliance.

Never trust software, always verify and report!™

Contact us today to arrange your demonstration of SAG Point Man™.