Software Assurance Guardian™ (SAG™) Point Man™ (SAG-PM™)

---

Complete the contact form to learn more about Business Cyber Guardian™ SAG-PM product pricing .

November 1, 2025 another major advancement from the innovator in SCRM best practice, SAG-PM™ version 2.1.6 now provides an automated, rapid risk response capability when a new software vulnerability is reported, as part of a Continuous Risk Monitoring program aimed at closing the "window of opportunity" that cyber criminals exploit ASAP to prevent a cyber incident from causing business disruptions. This new feature creates a "Products at Risk" report to notify parties which products in their cyber ecosystems may be at risk, due to a newly reported vulnerability, enabling a rapid risk mitigation response for the software products most at risk of a cyber breach.  The increase in both frequency and volume of software vulnerability reports, now reported to be tracking at 130 CVE's per day, has reached an inflection point where it is no longer effective to implement manual methods to identify products at risk. An automated risk assessment and response program is needed to close the window of opportunity that cyber criminals are exploiting today when a new vulnerability is reported.

September 6, 2025 SAG-PM™ version 2.1.5 now validates and accepts self-signed digital certificates for code signing based on corroborating evidence of authenticity. Software suppliers are no longer required to acquire digital certificates from public CA's to pass a comprehensive software risk assessment using SAG-PM™ V 2.1.5 following Secure by Design best practices, lowering the cost of compliance for smaller entities in the DIB and software supply chain.  Improved product database filtering also enhances VDRcheck by allowing users to specify a search string for Supplier~Product~Version with support for partial search string, for example a search string containing B~~~ would select all products and versions in the database with Supplier Names beginning with "B" to download the latest Vulnerability Disclosure Report (VDR) enabling organizations to rapidly close the window of opportunity that hackers exploit when a new software vulnerability is reported.

July 4, 2025 Version 2.1.4 of SAG-PM™ is now commercially available with full support for Final FDA medical cyber device cybersecurity requirements for  machine readable SBOM and Vulnerability Disclosure Reporting following NIST implementation guidelines. Now every medical device manufacturer can confidently meet the final FDA cybersecurity requirements for machine readable SBOMs and Vulnerability Disclosure Reporting following NTIA SBOM guidelines and NIST implementation guidelines for SBOM and Vulnerability Disclosure Reporting (VDR). Fill out the Contacts Us form for more information and a demonstration of SAG-PM and the SAG-CTR Trust Registry.

January 22, 2025  a patch release of SAG-PM™ is now available as Version 2.1.3 that addresses known issues with Windows 11.

December 19, 2024 Business Cyber Guardian™ (BCG) is pleased to announce the latest release of SAG-PM™, Version 2.1.2 which now analyzes CISA's Secure by Design Software Acquisition Guide spreadsheet vendor responses as part of the SAGScore calculation. The new feature provides greater visibility (radical transparency) to help software consumers identify trustworthy software products adhering to CISA's Secure by Design Software Acquisition Guide practices contained in the CISA SAG spreadsheet. The SAGScore™ Cybersecurity Label for Version 2.1.2 is available by clicking the QR code on the left side of this page.

Business Cyber Guardian™ (BCG) is also making available a free to use, open-source application called CISASAGReader to help software consumers view and verify the CISA SAG Spreadsheet responses provided by software vendors, at the request of a software consumer.  This easy to use CISASAGReader tool automates the processing of multiple CISA SAG spreadsheets without requiring Microsoft Excel products and "flipping through workbook tabs" to view a vendors responses. The CISASAGReader is "content aware", eliminating any extraneous responses that add noise, allowing only the important, most relevant responses to shine brightly, to aid in risk-based decision making. Now every software consumer can have radical transparency into the Secure by Design practices of software vendors, using the CISA SAG Spreadsheet and CISASAGReader application.

August 18, 2024 Business Cyber Guardian™ (BCG) is pleased to announce the first release of the SAG-PM™ product, version 2.1.1 with some additional enhancements to  validate products against key CISA "Secure By Design" transparency principles in accordance with CISA Software Acquisition Guide practices, that was released by CISA on August 1. Version 2.1.1 also helps companies comply with SEC, GSA, Department of  State, Department of Commerce and other Agency expectations for Secure Software Assurance and proactive cyber risk detection products and services for the GSA SCRIPTS RFQ seeking illumination tools that warn Companies and Government Agencies of increased cyber-risk in the software supply chain proactively, before it's too late, especially CISA KEV's the most dangerous cyber threats we face, with the broadest "blast radius" impacts.   

Remember to look both ways before installing software, including patches, into a production environment to avoid from becoming roadkill on the Information Super Highway, like the 8.5 million Windows machines that received updates without looking both ways and were disabled. Always look both ways before installing software, especially patches and new products, into a production environment; follow CISA best practices to verify software as trustworthy using the CISA Software Acquisition Guide spreadsheet questionnaire. 

And, remember, risk always exists, but trust must be earned and awarded.
Risk  scores are just telling us what we already know, there is risk in  everything. Trust scores tell us who/what is trustworthy, knowing there  is always risk. Look both ways before installing software in production environments.
Ask for the "trust score"!
 

April 23, 2024- REA is pleased to announce the release of SAG-PM™ Version 1.2.3  with full support for the processing of artifacts needed for the US Government Secure Software Attestation Form collections process using CISA's RSAA portal. Government agencies will begin collecting secure software attestation forms starting June 8, 2024, to comply with Executive Order 14028 and OMB M-22-18. Software producers can upload their secure software attestation forms on CISA' s portal now along with other artifacts that a Government agency may request, such as an SBOM, POA&M, open-source Vulnerability Disclosure Report (VDR) and open-source Vendor Response File (VRF). Software producers can eliminate a lot of the back-forth questioning that can happen when a Government agency is processing an attestation form by providing all of these artifacts up-front, resulting in a more efficient process for both the software producer and US Government. SAG-PM Version 1.2.3 is available now for commercial use.

BCG is offering to demonstrate the CISA RSAA portal process to upload attestation forms and other software supply chain artifacts, like SBOM's and POA&Ms. BCG has already completed two RSAA portal demonstrations to government agencies and is preparing to conduct more demo's to other agencies and software producers that will be submitting their materials for US government procurement requirements, beginning June 8, 2024.

Fill in the contact form to learn how BCG can help you comply with  SEC Cybersecurity Rules BEFORE the  12/2023 effective date

Don't take risks when the SEC Cybersecurity Regulations (17 CFR 229.106) go into effect in December 2023. Go with the company Crunchbase places at "top of the list" for SEC Cybersecurity.

[UPDATE 08/11/2023] REA has released version 1.2.1 of SAG-PM™ and is available now with updated support enabling Companies to comply with the SEC Cybersecurity Rules that go into effect December 2023, contained in the Code of Federal Regulations under  17 CFR 229.106. These rules require Officers and Directors to take direct responsibility for proper "good faith" cybersecurity controls and processes to proactively  detect the presence of cyber-risks using cyber risk management practices and policies that need to be disclosed to the SEC on a periodic basis. The new rules also require the reporting of a material cyber-incident within 96 hours. This opens the door for shareholder scrutiny of cyber risk management controls and processes, which could lead to a Caremark lawsuit holding Officers and Directors personally liable in the event of shareholder losses resulting from a cyber-incident. REA helps Officers and Directors protect themselves from liability by retaining tamper-proof evidence of software supply chain cyber-risk detection controls and processes, including the detection of CISA Known Exploited Vulnerabilities, following the SAG patented methods and a "chain of custody protocol" designed to ensure the integrity of evidence data for presentation in any lawsuits or SEC actions.  Companies submit evidence of their SAG risk detection processes and controls into the SAG-CTR™ Evidence Locker as part of a software risk assessment procedure where it is securely preserved using a "chain of custody protocol" designed to maintain the integrity of tamper-proof evidence data.

REA provides the NIST based good faith software risk management process documentation disclosure materials required by the new SEC  regulations in a Form 10-K and tamper-proof evidence for cyber-risk detection controls that may be presented in court, or during an SEC action, to help protect Officers and Directors from personal liability, in the event of a cyber-incident. Additional  details of the REA solution for SEC Cybersecurity Regulations is provided in REA's BSides CT presentation from September 30, 2023

Never trust software, always verify and report! ™

[UPDATE 01/02/2023] REA is pleased to announce a new, free to use public service that provides software consumers access to software trust scores, called a SAGScore™ for apps in app stores and other applications available from the Internet. A SAGScore™ is conceptually similar to a FICO score, but uses criteria and methods specific to assessing software supply chain risk and the trustworthiness of software. More details are available online in this article.

[UPDATE 11/05/2022] The IETF Supply Chain Integrity, Transparency and Trust (SCITT) work group is meeting in London this week to discuss the need for a "TRUSTED REGISTRY" for software objects and other artifacts, identified in the official SCITT use case document. The SAG-CTR™ Trust Registry is the ideal, secure way to store tamper-proof evidence of proactive cyber risk management controls to detect risk in software supply chains before procurement and installation to help Directors and Officers produce court quality evidence to prove "duty of care" obligations to satisfy new SEC cybersecurity rules going into effect in 2023, and any shareholder lawsuits following a cyber-incident that results in shareholder losses. 

[UPDATE 09/28/2022] SAG-PM version 1.2 was released today with support for CycloneDX version 1.4 and SPDX Version 2.3. This release addresses the requirements outlined in OMB memo M-22-18, released on September 14, 2022, to address software supply chain requirements contained in Executive Order 14028 following NIST recommendations.  An open-source, free to use Vendor Response File is used to give Federal Procurement Officer an automated, machine-readable method to acquire and categorize SBOM, self-attestation letters, NIST Vulnerability Disclosure Reports (VDR) and other requirements of M-22-18. 

[UPDATE 07/08/2022] A SAG-PM™ V 1.1.8 presentation is now available online describing how the SAG patent, US11,374,961, methods, processes and criteria, may be used to bring visibility of trustworthiness to APP stores.

[UPDATE 3/11/2022] SAG-PM™ version 1.1.8 is now available with even broader support for SBOM vulnerability reporting, including "CARFAX for software" concepts SBOM VDR and CycloneDX VEX, and proven integration with 3rd party SBOM repositories, such as Jitsuin RKVST. 

[UPDATE 1/11/2022]  The Software Assurance Guardian™ (SAG™) Point Man™ (SAG-PM™)  version 1.1.7 release is the most advanced commercial platform  available to perform Software Rapid Risk Assessment™ (SRRA™) methods  based on the open-source, free to use, SBOM Vulnerability Disclosure Report (VDR) XML schema, version 1.1.7.  
 

The May 12, 2021, Cybersecurity Executive Order, 14028, which takes  effect in August 2022, requires software vendors to provide Federal  Agencies with an SBOM and notification of vulnerabilities. Federal  agencies use the SBOM and VDR as part of a risk assessment process  defined by NIST in SP 800-161 Appendix F. Federal agencies, and other  software consumers use SAG-PM™ version 1.1.7 to automate software risk assessments,  determining software risks within installed software products within  seconds using the SRRA™ methods implemented in SAG-PM™. 

[UPDATE 12/17/2021]: SAG-PM™ Version 1.1.6 was released on December 1st with support for NIST Guidance contained in SP 800-161 R2 Appendix F, which provides government agencies with implementation guidance to meet Executive Order 14028 requirements. This version adds JSON support for both SPDX and CycloneDX formats and a new "touchless" method to add vendor products to the SAG-PM™ database. Consumers rely entirely on software vendors to provide all of the information and data needed to implement a NIST compliant risk assessment pursuant to Executive Order 14028. SAG-PM™ also helps software vendors prepare for Executive Order 14028 by enabling the construction of SBOM's for legacy applications and by providing a "baseline" Vulnerability Disclosure Report based on SBOM contents.

 Software customers and government agencies can begin to prepare now to perform a NIST compliant risk assessment using the combination of vendor supplied SBOM and Vulnerability disclosure data to meet the Executive Order 14028 deadlines in 2022. 

[UPDATE 11/7/2021] : SAG-PM 1.1.5™ is now available containing full support for the open source, free to use, Vendor Response File (VRF) and Vulnerability  Disclosure Report (VDR) file formats to help companies comply with legislation making its way through Congress, H.R. 4611 Software consumers use SAG-PM™ to protect themselves from malicious software, such as ransomware, by performing a proactive risk assessment on a software package before any attempt to install. Software vendors use SAG-PM™ to protect themselves from harmful software that may be used in their operations or during product development to detect risk in embedded software components and generate a baseline Vulnerability Disclosure Report. This version of SAG-PM™ also implements a complete suite of evidence collection functions that are needed to meet NIST C-SCRM and NATF Security Assessment Model requirements. 

UPDATE: The production release of SAG-PM™ Version 1.1.3 is now available. This release implements    supported Software Bill of Materials (SBOM) formats for both software vendors and consumers.  Software vendors can now use SAG-PM™ to create SBOM's in SPDX format for distribution to their customers, while simultaneously performing a risk assessment, before distributing their software products commercially. SAG-PM™ continues to support both SPDX and CycloneDX SBOM formats for software consumers to use in conducting a C-SCRM software risk assessment. This release of SAG-PM™  satisfies the key "Software Bill of Materials" (SBOM) requirements of President Biden's Cybersecurity Executive Order issued on 5/12/2021 and the risk management controls for critical infrastructure industrial control systems identified in the  Cybersecurity Memorandum issued on 7/28/2021.  A consumer's perspective of SBOM's is available here. 

[UPDATE 9/28/2021] REA has taken a significant step to help software vendors and software consumers easily implement NIST compliant Cyber Supply Chain Risk Management (C-SCRM) best practice with NTIA supported SBOM required for Executive Order 14028, by open-sourcing its Vendor Response XML File format/schema to meet NATF software supply chain vetting requirements for NERC CIP-013-1 and CIP-010-3 standards. This consistent, easy to use,  Response File format helps both customers and vendors by eliminating the varied, and numerous supply chain questionnaires that software vendors are receiving. A software consumer downloads the vendors XML Response File in the standard format provided by REA and can store the information provided in an evidence locker, for use during NERC audits and during vendor due diligence proceedings and contract negotiations. The open source , free to use, XML Response File schema, an example Vendor Response XML and a Known Vulnerability Disclosure statement are all available on GitHub  

The 1.1.2 release of SAG-PM™ also introduces SAG-CTR™, The Software Assurance Guardian™ (SAG™) Community Trust Registry (SAG-CTR™), where parties declare their trust in a software package and digital signature combination where other community members can view these trust declarations. SAG-CTR™ data is a key contributing factor  in the statistically calculated SAGScore™, indicating a level of Trustworthiness. Software products that achieve a critical mass of community trust declarations in SAG-CTR™ are eligible to proudly display the "SAG-STAR™" emblem, indicating a high level of community trust in their product.

An Energy Central PowerTalk session on 5/6/2021  is now available on demand which includes a demonstration of the SAG-PM ™  software supply risk assessment 7 step process and evidence file reporting with an emphasis on overcoming known flaws in NERC ERO approved guidance to verify software source identification and integrity verification for NERC CIP-010-3 Part 1.6 regulations.  

A SAG-PM ™ presentation that was delivered at the OWASP BSides CT meeting on 11/14/2020,  is now available online that describes the patented 7-step software supply chain risk assessment a video recording of the event is also available

 An Energy Central Powersession was conducted on 8/12/2020 that goes into detail of the SAG-PM™ software supply chain risk assessment process. Now available on demand

The patented (US11,374,961)  Software Assurance Guardian™ product line has been updated with the first of its kind  SAG Point Man™ software application, also known as SAG-PM™. SAG-PM™ has been developed to help protect companies from vulnerable software objects and untrustworthy parties that may have compromised the integrity of  a  software supply chain, preventing the installation of bad, harmful software into an operational system. SAG-PM performs seven critical investigative steps on a software object's installation file as part of a comprehensive software supply chain risk assessment process that calculates a SAGScore™, indicating a level of Trustworthiness for the software object itself and parties serving roles within the software supply  chain. These seven steps implement best practices to augment NERC CIP-010-3 using the NIST Cybersecurity Framework V1.1, as suggested by FERC in its 6/18/2020 cybersecurity White Paper, from each of their respective, ID.RA, ID.RM and ID.SC NIST functions:

• Source Server Location and SSL Certificate Validation against "accredited Certificate Authorities" and Software Source vendor supplied information
• Perform a provenance check by evaluating the path used to acquire a software object for possible man-in-the-middle attacks, blacklisted sites and geographic locations that may belong to entities hostile to the United States
• Introspection of a software object's installation package resulting in a Software Bill of Materials (SBOM) that is used to identify potential risk, in order to determine the trustworthiness of a software object
•  Extensive vulnerability scan using known and trustworthy Vulnerability Databases, such as NIST NVD
• Verification of Vendor credentials and processes to ensure that each vendor in the supply chain has been properly vetted and approved as implementing trustworthy business practices and control procedures to protect against any type of taint that may impact a software objects trustworthiness
• Verification of digitally signed software installation packages to ensure that no changes have occurred since the object was signed. Verifies the trust relationship between an SBOM Software Supplier and a party authorized by the software supplier to apply a digital signature on a software package on their behalf. 
• Perform a comprehensive malware scan of the software installation package using Microsoft Defender, as the default scanner and the suite of VirusTotal  malware scanning service as an option

The process concludes with a statistically calculated trustworthiness score, called a  SAGScore™, indicating a trustworthiness level based on the results of these seven investigative steps. All results are stored in a an evidence file for posterity and may be presented to auditors or forensic personnel. A proof of verification record is also generated, for insertion into a Change Management System, as required by NERC CIP-010-3 R1, Part 1.6 for evidence of compliance.

Never trust software, always verify and report!™

Contact us today to arrange your demonstration of SAG Point Man™. 

Fill in the contact form to learn how REA can help you comply with  SEC Cybersecurity Rules BEFORE the  12/2023 effective date

Don't take risks when the SEC Cybersecurity Regulations (17 CFR 229.106) go into effect in December 2023. Go with the company Crunchbase places at "top of the list" for SEC Cybersecurity.

[UPDATE 08/11/2023] REA has released version 1.2.1 of SAG-PM™ and is available now with updated support enabling Companies to comply with the SEC Cybersecurity Rules that go into effect December 2023, contained in the Code of Federal Regulations under  17 CFR 229.106. These rules require Officers and Directors to take direct responsibility for proper "good faith" cybersecurity controls and processes to proactively  detect the presence of cyber-risks using cybersecurity practices and policies that need to be disclosed to the SEC on a periodic basis. The new rules also require the reporting of a material cyber-incident within 96 hours. This opens the door for shareholder scrutiny of cybersecurity controls and processes, which could lead to a Caremark lawsuit holding Officers and Directors personally liable in the event of shareholder losses resulting from a cyber-incident. REA helps Officers and Directors protect themselves from liability by retaining tamper-proof evidence of software supply chain cyber-risk detection controls and processes, including the detection of CISA Known Exploited Vulnerabilities, following the SAG patented methods and a "chain of custody protocol" designed to ensure the integrity of evidence data for presentation in any lawsuits or SEC actions.  Companies submit evidence of their SAG risk detection processes and controls into the SAG-CTR™ Evidence Locker as part of a software risk assessment procedure where it is securely preserved using a "chain of custody protocol" designed to maintain the integrity of tamper-proof evidence data.

REA provides the NIST based good faith software risk management process documentation disclosure materials required by the new SEC  regulations in a Form 10-K and tamper-proof evidence for cyber-risk detection controls that may be presented in court, or during an SEC action, to help protect Officers and Directors from personal liability, in the event of a cyber-incident. Additional  details of the REA solution for SEC Cybersecurity Regulations is provided in REA's BSides CT presentation from September 30, 2023

Never trust software, always verify and report! ™

[UPDATE 01/02/2023] REA is pleased to announce a new, free to use public service that provides software consumers access to software trust scores, called a SAGScore™ for apps in app stores and other applications available from the Internet. A SAGScore™ is conceptually similar to a FICO score, but uses criteria and methods specific to assessing software supply chain risk and the trustworthiness of software. More details are available online in this article.

[UPDATE 11/05/2022] The IETF Supply Chain Integrity, Transparency and Trust (SCITT) work group is meeting in London this week to discuss the need for a "TRUSTED REGISTRY" for software objects and other artifacts, identified in the official SCITT use case document. The SAG-CTR™ Trust Registry is the ideal, secure way to store tamper-proof evidence of proactive cybersecurity controls to detect risk in software supply chains before procurement and installation to help Directors and Officers produce court quality evidence to prove "duty of care" obligations to satisfy new SEC cybersecurity rules going into effect in 2023, and any shareholder lawsuits following a cyber-incident that results in shareholder losses. 

[UPDATE 09/28/2022] SAG-PM version 1.2 was released today with support for CycloneDX version 1.4 and SPDX Version 2.3. This release addresses the requirements outlined in OMB memo M-22-18, released on September 14, 2022, to address software supply chain requirements contained in Executive Order 14028 following NIST recommendations.  An open-source, free to use Vendor Response File is used to give Federal Procurement Officer an automated, machine-readable method to acquire and categorize SBOM, self-attestation letters, NIST Vulnerability Disclosure Reports (VDR) and other requirements of M-22-18. 

[UPDATE 07/08/2022] A SAG-PM™ V 1.1.8 presentation is now available online describing how the SAG patent, US11,374,961, methods, processes and criteria, may be used to bring visibility of trustworthiness to APP stores.

[UPDATE 3/11/2022] SAG-PM™ version 1.1.8 is now available with even broader support for SBOM vulnerability reporting, including "CARFAX for software" concepts SBOM VDR and CycloneDX VEX, and proven integration with 3rd party SBOM repositories, such as Jitsuin RKVST. 

[UPDATE 1/11/2022]  The Software Assurance Guardian™ (SAG™) Point Man™ (SAG-PM™)  version 1.1.7 release is the most advanced commercial platform  available to perform Software Rapid Risk Assessment™ (SRRA™) methods  based on the open-source, free to use, SBOM Vulnerability Disclosure Report (VDR) XML schema, version 1.1.7.  
 

The May 12, 2021, Cybersecurity Executive Order, 14028, which takes  effect in August 2022, requires software vendors to provide Federal  Agencies with an SBOM and notification of vulnerabilities. Federal  agencies use the SBOM and VDR as part of a risk assessment process  defined by NIST in SP 800-161 Appendix F. Federal agencies, and other  software consumers use SAG-PM™ version 1.1.7 to automate software risk assessments,  determining software risks within installed software products within  seconds using the SRRA™ methods implemented in SAG-PM™. 

[UPDATE 12/17/2021]: SAG-PM™ Version 1.1.6 was released on December 1st with support for NIST Guidance contained in SP 800-161 R2 Appendix F, which provides government agencies with implementation guidance to meet Executive Order 14028 requirements. This version adds JSON support for both SPDX and CycloneDX formats and a new "touchless" method to add vendor products to the SAG-PM™ database. Consumers rely entirely on software vendors to provide all of the information and data needed to implement a NIST compliant risk assessment pursuant to Executive Order 14028. SAG-PM™ also helps software vendors prepare for Executive Order 14028 by enabling the construction of SBOM's for legacy applications and by providing a "baseline" Vulnerability Disclosure Report based on SBOM contents.

 Software customers and government agencies can begin to prepare now to perform a NIST compliant risk assessment using the combination of vendor supplied SBOM and Vulnerability disclosure data to meet the Executive Order 14028 deadlines in 2022. 

[UPDATE 11/7/2021] : SAG-PM 1.1.5™ is now available containing full support for the open source, free to use, Vendor Response File (VRF) and Vulnerability  Disclosure Report (VDR) file formats to help companies comply with legislation making its way through Congress, H.R. 4611 Software consumers use SAG-PM™ to protect themselves from malicious software, such as ransomware, by performing a proactive risk assessment on a software package before any attempt to install. Software vendors use SAG-PM™ to protect themselves from harmful software that may be used in their operations or during product development to detect risk in embedded software components and generate a baseline Vulnerability Disclosure Report. This version of SAG-PM™ also implements a complete suite of evidence collection functions that are needed to meet NIST C-SCRM and NATF Security Assessment Model requirements. 

UPDATE: The production release of SAG-PM™ Version 1.1.3 is now available. This release implements    supported Software Bill of Materials (SBOM) formats for both software vendors and consumers.  Software vendors can now use SAG-PM™ to create SBOM's in SPDX format for distribution to their customers, while simultaneously performing a risk assessment, before distributing their software products commercially. SAG-PM™ continues to support both SPDX and CycloneDX SBOM formats for software consumers to use in conducting a C-SCRM software risk assessment. This release of SAG-PM™  satisfies the key "Software Bill of Materials" (SBOM) requirements of President Biden's Cybersecurity Executive Order issued on 5/12/2021 and the risk management controls for critical infrastructure industrial control systems identified in the  Cybersecurity Memorandum issued on 7/28/2021.  A consumer's perspective of SBOM's is available here. 

[UPDATE 9/28/2021] REA has taken a significant step to help software vendors and software consumers easily implement NIST compliant Cyber Supply Chain Risk Management (C-SCRM) best practice with NTIA supported SBOM required for Executive Order 14028, by open-sourcing its Vendor Response XML File format/schema to meet NATF software supply chain vetting requirements for NERC CIP-013-1 and CIP-010-3 standards. This consistent, easy to use,  Response File format helps both customers and vendors by eliminating the varied, and numerous supply chain questionnaires that software vendors are receiving. A software consumer downloads the vendors XML Response File in the standard format provided by REA and can store the information provided in an evidence locker, for use during NERC audits and during vendor due diligence proceedings and contract negotiations. The open source , free to use, XML Response File schema, an example Vendor Response XML and a Known Vulnerability Disclosure statement are all available on GitHub  

The 1.1.2 release of SAG-PM™ also introduces SAG-CTR™, The Software Assurance Guardian™ (SAG™) Community Trust Registry (SAG-CTR™), where parties declare their trust in a software package and digital signature combination where other community members can view these trust declarations. SAG-CTR™ data is a key contributing factor  in the statistically calculated SAGScore™, indicating a level of Trustworthiness. Software products that achieve a critical mass of community trust declarations in SAG-CTR™ are eligible to proudly display the "SAG-STAR™" emblem, indicating a high level of community trust in their product.

An Energy Central PowerTalk session on 5/6/2021  is now available on demand which includes a demonstration of the SAG-PM ™  software supply risk assessment 7 step process and evidence file reporting with an emphasis on overcoming known flaws in NERC ERO approved guidance to verify software source identification and integrity verification for NERC CIP-010-3 Part 1.6 regulations.  

A SAG-PM ™ presentation that was delivered at the OWASP BSides CT meeting on 11/14/2020,  is now available online that describes the patented 7-step software supply chain risk assessment a video recording of the event is also available

 An Energy Central Powersession was conducted on 8/12/2020 that goes into detail of the SAG-PM™ software supply chain risk assessment process. Now available on demand

The patented (US11,374,961)  Software Assurance Guardian™ product line has been updated with the first of its kind  SAG Point Man™ software application, also known as SAG-PM™. SAG-PM™ has been developed to help protect companies from vulnerable software objects and untrustworthy parties that may have compromised the integrity of  a  software supply chain, preventing the installation of bad, harmful software into an operational system. SAG-PM performs seven critical investigative steps on a software object's installation file as part of a comprehensive software supply chain risk assessment process that calculates a SAGScore™, indicating a level of Trustworthiness for the software object itself and parties serving roles within the software supply  chain. These seven steps implement best practices to augment NERC CIP-010-3 using the NIST Cybersecurity Framework V1.1, as suggested by FERC in its 6/18/2020 cybersecurity White Paper, from each of their respective, ID.RA, ID.RM and ID.SC NIST functions:

• Source Server Location and SSL Certificate Validation against "accredited Certificate Authorities" and Software Source vendor supplied information
• Perform a provenance check by evaluating the path used to acquire a software object for possible man-in-the-middle attacks, blacklisted sites and geographic locations that may belong to entities hostile to the United States
• Introspection of a software object's installation package resulting in a Software Bill of Materials (SBOM) that is used to identify potential risk, in order to determine the trustworthiness of a software object
•  Extensive vulnerability scan using known and trustworthy Vulnerability Databases, such as NIST NVD
• Verification of Vendor credentials and processes to ensure that each vendor in the supply chain has been properly vetted and approved as implementing trustworthy business practices and control procedures to protect against any type of taint that may impact a software objects trustworthiness
• Verification of digitally signed software installation packages to ensure that no changes have occurred since the object was signed. Verifies the trust relationship between an SBOM Software Supplier and a party authorized by the software supplier to apply a digital signature on a software package on their behalf. 
• Perform a comprehensive malware scan of the software installation package using Microsoft Defender, as the default scanner and the suite of VirusTotal  malware scanning service as an option

The process concludes with a statistically calculated trustworthiness score, called a  SAGScore™, indicating a trustworthiness level based on the results of these seven investigative steps. All results are stored in a an evidence file for posterity and may be presented to auditors or forensic personnel. A proof of verification record is also generated, for insertion into a Change Management System, as required by NERC CIP-010-3 R1, Part 1.6 for evidence of compliance.

Never trust software, always verify and report!™

Contact us today to arrange your demonstration of SAG Point Man™.