Software Assurance Guardian™ (SAG™) Point Man™ (SAG-PM™)

---

UPDATE: The production release of SAG-PM™ Version 1.1.3 is now available. This release implements    supported Software Bill of Materials (SBOM) formats for both software vendors and consumers.  Software vendors can now use SAG-PM™ to create SBOM's in SPDX format for distribution to their customers, while simultaneously performing a risk assessment, before distributing their software products commercially. SAG-PM™ continues to support both SPDX and CycloneDX SBOM formats for software consumers to use in conducting a C-SCRM software risk assessment. This release of SAG-PM™  satisfies the key "Software Bill of Materials" (SBOM) requirements of President Biden's Cybersecurity Executive Order issued on 5/12/2021 and the risk management controls for critical infrastructure industrial control systems identified in the  Cybersecurity Memorandum issued on 7/28/2021.  A consumer's perspective of SBOM's is available here. 

[UPDATE 9/28/2021] REA has taken a significant step to help software vendors and software consumers easily implement NIST compliant Cyber Supply Chain Risk Management (C-SCRM) best practice with NTIA supported SBOM required for Executive Order 14028, by open-sourcing its Vendor Response XML File format/schema to meet NATF software supply chain vetting requirements for NERC CIP-013-1 and CIP-010-3 standards. This consistent, easy to use,  Response File format helps both customers and vendors by eliminating the varied, and numerous supply chain questionnaires that software vendors are receiving. A software consumer downloads the vendors XML Response File in the standard format provided by REA and can store the information provided in an evidence locker, for use during NERC audits and during vendor due diligence proceedings and contract negotiations. The open source , free to use, XML Response File schema, an example Vendor Response XML and a Known Vulnerability Disclosure statement are all available on GitHub  

The 1.1.2 release of SAG-PM™ also introduces SAG-CTR™, The Software Assurance Guardian™ (SAG™) Community Trust Registry (SAG-CTR™), where parties declare their trust in a software package and digital signature combination where other community members can view these trust declarations. SAG-CTR™ data is a key contributing factor  in the statistically calculated SAGScore™, indicating a level of Trustworthiness. Software products that achieve a critical mass of community trust declarations in SAG-CTR™ are eligible to proudly display the "SAG-STAR™" emblem, indicating a high level of community trust in their product.

An Energy Central PowerTalk session on 5/6/2021  is now available on demand which includes a demonstration of the SAG-PM ™  software supply risk assessment 7 step process and evidence file reporting with an emphasis on overcoming known flaws in NERC ERO approved guidance to verify software source identification and integrity verification for NERC CIP-010-3 Part 1.6 regulations.  

A SAG-PM ™ presentation that was delivered at the OWASP BSides CT meeting on 11/14/2020,  is now available online that describes the patent pending 7-step software supply chain risk assessment a video recording of the event is also available

 An Energy Central Powersession was conducted on 8/12/2020 that goes into detail of the SAG-PM™ software supply chain risk assessment process. Now available on demand

The patent pending Software Assurance Guardian™ product line has been updated with the first of its kind  SAG Point Man™ software application, also known as SAG-PM™. SAG-PM™ has been developed to help protect companies from vulnerable software objects and untrustworthy parties that may have compromised the integrity of  a  software supply chain, preventing the installation of bad, harmful software into an operational system. SAG-PM performs seven critical investigative steps on a software object's installation file as part of a comprehensive software supply chain risk assessment process that calculates a SAGScore™, indicating a level of Trustworthiness for the software object itself and parties serving roles within the software supply  chain. These seven steps implement best practices to augment NERC CIP-010-3 using the NIST Cybersecurity Framework V1.1, as suggested by FERC in its 6/18/2020 cybersecurity White Paper, from each of their respective, ID.RA, ID.RM and ID.SC NIST functions:

• Source Server Location and SSL Certificate Validation against "accredited Certificate Authorities" and Software Source vendor supplied information
• Perform a provenance check by evaluating the path used to acquire a software object for possible man-in-the-middle attacks, blacklisted sites and geographic locations that may belong to entities hostile to the United States
• Introspection of a software object's installation package resulting in a Software Bill of Materials (SBOM) that is used to identify potential risk, in order to determine the trustworthiness of a software object
•  Extensive vulnerability scan using known and trustworthy Vulnerability Databases, such as NIST NVD
• Verification of Vendor credentials and processes to ensure that each vendor in the supply chain has been properly vetted and approved as implementing trustworthy business practices and control procedures to protect against any type of taint that may impact a software objects trustworthiness
• Verification of digitally signed software installation packages to ensure that no changes have occurred since the object was signed. Verifies the trust relationship between an SBOM Software Supplier and a party authorized by the software supplier to apply a digital signature on a software package on their behalf. 
• Perform a comprehensive malware scan of the software installation package using Microsoft Defender, as the default scanner and the suite of VirusTotal  malware scanning service as an option

The process concludes with a statistically calculated trustworthiness score, called a  SAGScore™, indicating a trustworthiness level based on the results of these seven investigative steps. All results are stored in a an evidence file for posterity and may be presented to auditors or forensic personnel. A proof of verification record is also generated, for insertion into a Change Management System, as required by NERC CIP-010-3 R1, Part 1.6 for evidence of compliance.

Never trust software, always verify and report!™

Contact us today to arrange your demonstration of SAG Point Man™.