UPDATE: The production release of SAG-PM™ Version 1.1.3 is now available. This release implements supported Software Bill of Materials (SBOM) formats for both software vendors and consumers. Software vendors can now use SAG-PM™ to create SBOM's in SPDX format for distribution to their customers, while simultaneously performing a risk assessment, before distributing their software products commercially. SAG-PM™ continues to support both SPDX and CycloneDX SBOM formats for software consumers to use in conducting a C-SCRM software risk assessment. This release of SAG-PM™ satisfies the key "Software Bill of Materials" (SBOM) requirements of President Biden's Cybersecurity Executive Order issued on 5/12/2021 and the risk management controls for critical infrastructure industrial control systems identified in the Cybersecurity Memorandum issued on 7/28/2021. A consumer's perspective of SBOM's is available here.
[UPDATE 9/28/2021] REA has taken a significant step to help software vendors and software consumers easily implement NIST compliant Cyber Supply Chain Risk Management (C-SCRM) best practice with NTIA supported SBOM required for Executive Order 14028, by open-sourcing its Vendor Response XML File format/schema to meet NATF software supply chain vetting requirements for NERC CIP-013-1 and CIP-010-3 standards. This consistent, easy to use, Response File format helps both customers and vendors by eliminating the varied, and numerous supply chain questionnaires that software vendors are receiving. A software consumer downloads the vendors XML Response File in the standard format provided by REA and can store the information provided in an evidence locker, for use during NERC audits and during vendor due diligence proceedings and contract negotiations. The open source , free to use, XML Response File schema, an example Vendor Response XML and a Known Vulnerability Disclosure statement are all available on GitHub
The 1.1.2 release of SAG-PM™ also introduces SAG-CTR™, The Software Assurance Guardian™ (SAG™) Community Trust Registry (SAG-CTR™), where parties declare their trust in a software package and digital signature combination where other community members can view these trust declarations. SAG-CTR™ data is a key contributing factor in the statistically calculated SAGScore™, indicating a level of Trustworthiness. Software products that achieve a critical mass of community trust declarations in SAG-CTR™ are eligible to proudly display the "SAG-STAR™" emblem, indicating a high level of community trust in their product.
An Energy Central PowerTalk session on 5/6/2021 is now available on demand which includes a demonstration of the SAG-PM ™ software supply risk assessment 7 step process and evidence file reporting with an emphasis on overcoming known flaws in NERC ERO approved guidance to verify software source identification and integrity verification for NERC CIP-010-3 Part 1.6 regulations.
A SAG-PM ™ presentation that was delivered at the OWASP BSides CT meeting on 11/14/2020, is now available online that describes the patent pending 7-step software supply chain risk assessment a video recording of the event is also available
An Energy Central Powersession was conducted on 8/12/2020 that goes into detail of the SAG-PM™ software supply chain risk assessment process. Now available on demand
The patent pending Software Assurance Guardian™ product line has been updated with the first of its kind SAG Point Man™ software application, also known as SAG-PM™. SAG-PM™ has been developed to help protect companies from vulnerable software objects and untrustworthy parties that may have compromised the integrity of a software supply chain, preventing the installation of bad, harmful software into an operational system. SAG-PM performs seven critical investigative steps on a software object's installation file as part of a comprehensive software supply chain risk assessment process that calculates a SAGScore™, indicating a level of Trustworthiness for the software object itself and parties serving roles within the software supply chain. These seven steps implement best practices to augment NERC CIP-010-3 using the NIST Cybersecurity Framework V1.1, as suggested by FERC in its 6/18/2020 cybersecurity White Paper, from each of their respective, ID.RA, ID.RM and ID.SC NIST functions:
The process concludes with a statistically calculated trustworthiness score, called a SAGScore™, indicating a trustworthiness level based on the results of these seven investigative steps. All results are stored in a an evidence file for posterity and may be presented to auditors or forensic personnel. A proof of verification record is also generated, for insertion into a Change Management System, as required by NERC CIP-010-3 R1, Part 1.6 for evidence of compliance.
Never trust software, always verify and report!™
Contact us today to arrange your demonstration of SAG Point Man™.