Software Assurance Guardian™ (SAG™) Point Man™ (SAG-PM™)
SAG-PM™ Version 1.2.1 supports SEC cybersecurity rules 17 CFR 229.106
Fill in the contact form to learn how REA can help you comply with SEC Cybersecurity Rules BEFORE the 12/2023 effective date
Don't take risks when the SEC Cybersecurity Regulations (17 CFR 229.106) go into effect in December 2023. Go with the company Crunchbase places at "top of the list" for SEC Cybersecurity.
[UPDATE 08/11/2023] REA has released version 1.2.1 of SAG-PM™ and is available now with updated support enabling Companies to comply with the SEC Cybersecurity Rules that go into effect December 2023, contained in the Code of Federal Regulations under 17 CFR 229.106. These rules require Officers and Directors to take direct responsibility for proper "good faith" cybersecurity controls and processes to proactively detect the presence of cyber-risks using cybersecurity practices and policies that need to be disclosed to the SEC on a periodic basis. The new rules also require the reporting of a material cyber-incident within 96 hours. This opens the door for shareholder scrutiny of cybersecurity controls and processes, which could lead to a Caremark lawsuit holding Officers and Directors personally liable in the event of shareholder losses resulting from a cyber-incident. REA helps Officers and Directors protect themselves from liability by retaining tamper-proof evidence of software supply chain cyber-risk detection controls and processes, including the detection of CISA Known Exploited Vulnerabilities, following the SAG patented methods and a "chain of custody protocol" designed to ensure the integrity of evidence data for presentation in any lawsuits or SEC actions. Companies submit evidence of their SAG risk detection processes and controls into the SAG-CTR™ Evidence Locker as part of a software risk assessment procedure where it is securely preserved using a "chain of custody protocol" designed to maintain the integrity of tamper-proof evidence data.
REA provides the software risk management process documentation disclosure materials required by the new SEC regulations and tamper-proof evidence for cyber-risk detection controls that may be presented in court, or during an SEC action, to help protect Officers and Directors from personal liability, in the event of a cyber-incident.
Never trust software, always verify and report! ™
[UPDATE 01/02/2023] REA is pleased to announce a new, free to use public service that provides software consumers access to software trust scores, called a SAGScore™ for apps in app stores and other applications available from the Internet. A SAGScore™ is conceptually similar to a FICO score, but uses criteria and methods specific to assessing software supply chain risk and the trustworthiness of software. More details are available online in this article.
[UPDATE 11/05/2022] The IETF Supply Chain Integrity, Transparency and Trust (SCITT) work group is meeting in London this week to discuss the need for a "TRUSTED REGISTRY" for software objects and other artifacts, identified in the official SCITT use case document. The SAG-CTR™ Trust Registry is the ideal, secure way to store tamper-proof evidence of proactive cybersecurity controls to detect risk in software supply chains before procurement and installation to help Directors and Officers produce court quality evidence to prove "duty of care" obligations to satisfy new SEC cybersecurity rules going into effect in 2023, and any shareholder lawsuits following a cyber-incident that results in shareholder losses.
[UPDATE 09/28/2022] SAG-PM version 1.2 was released today with support for CycloneDX version 1.4 and SPDX Version 2.3. This release addresses the requirements outlined in OMB memo M-22-18, released on September 14, 2022, to address software supply chain requirements contained in Executive Order 14028 following NIST recommendations. An open-source, free to use Vendor Response File is used to give Federal Procurement Officer an automated, machine-readable method to acquire and categorize SBOM, self-attestation letters, NIST Vulnerability Disclosure Reports (VDR) and other requirements of M-22-18.
[UPDATE 07/08/2022] A SAG-PM™ V 1.1.8 presentation is now available online describing how the SAG patent, US11,374,961, methods, processes and criteria, may be used to bring visibility of trustworthiness to APP stores.
[UPDATE 3/11/2022] SAG-PM™ version 1.1.8 is now available with even broader support for SBOM vulnerability reporting, including "CARFAX for software" concepts SBOM VDR and CycloneDX VEX, and proven integration with 3rd party SBOM repositories, such as Jitsuin RKVST.
[UPDATE 1/11/2022] The Software Assurance Guardian™ (SAG™) Point Man™ (SAG-PM™) version 1.1.7 release is the most advanced commercial platform available to perform Software Rapid Risk Assessment™ (SRRA™) methods based on the open-source, free to use, SBOM Vulnerability Disclosure Report (VDR) XML schema, version 1.1.7.
The May 12, 2021, Cybersecurity Executive Order, 14028, which takes effect in August 2022, requires software vendors to provide Federal Agencies with an SBOM and notification of vulnerabilities. Federal agencies use the SBOM and VDR as part of a risk assessment process defined by NIST in SP 800-161 Appendix F. Federal agencies, and other software consumers use SAG-PM™ version 1.1.7 to automate software risk assessments, determining software risks within installed software products within seconds using the SRRA™ methods implemented in SAG-PM™.
[UPDATE 12/17/2021]: SAG-PM™ Version 1.1.6 was released on December 1st with support for NIST Guidance contained in SP 800-161 R2 Appendix F, which provides government agencies with implementation guidance to meet Executive Order 14028 requirements. This version adds JSON support for both SPDX and CycloneDX formats and a new "touchless" method to add vendor products to the SAG-PM™ database. Consumers rely entirely on software vendors to provide all of the information and data needed to implement a NIST compliant risk assessment pursuant to Executive Order 14028. SAG-PM™ also helps software vendors prepare for Executive Order 14028 by enabling the construction of SBOM's for legacy applications and by providing a "baseline" Vulnerability Disclosure Report based on SBOM contents.
Software customers and government agencies can begin to prepare now to perform a NIST compliant risk assessment using the combination of vendor supplied SBOM and Vulnerability disclosure data to meet the Executive Order 14028 deadlines in 2022.
[UPDATE 11/7/2021] : SAG-PM 1.1.5™ is now available containing full support for the open source, free to use, Vendor Response File (VRF) and Vulnerability Disclosure Report (VDR) file formats to help companies comply with legislation making its way through Congress, H.R. 4611 Software consumers use SAG-PM™ to protect themselves from malicious software, such as ransomware, by performing a proactive risk assessment on a software package before any attempt to install. Software vendors use SAG-PM™ to protect themselves from harmful software that may be used in their operations or during product development to detect risk in embedded software components and generate a baseline Vulnerability Disclosure Report. This version of SAG-PM™ also implements a complete suite of evidence collection functions that are needed to meet NIST C-SCRM and NATF Security Assessment Model requirements.
UPDATE: The production release of SAG-PM™ Version 1.1.3 is now available. This release implements supported Software Bill of Materials (SBOM) formats for both software vendors and consumers. Software vendors can now use SAG-PM™ to create SBOM's in SPDX format for distribution to their customers, while simultaneously performing a risk assessment, before distributing their software products commercially. SAG-PM™ continues to support both SPDX and CycloneDX SBOM formats for software consumers to use in conducting a C-SCRM software risk assessment. This release of SAG-PM™ satisfies the key "Software Bill of Materials" (SBOM) requirements of President Biden's Cybersecurity Executive Order issued on 5/12/2021 and the risk management controls for critical infrastructure industrial control systems identified in the Cybersecurity Memorandum issued on 7/28/2021. A consumer's perspective of SBOM's is available here.
[UPDATE 9/28/2021] REA has taken a significant step to help software vendors and software consumers easily implement NIST compliant Cyber Supply Chain Risk Management (C-SCRM) best practice with NTIA supported SBOM required for Executive Order 14028, by open-sourcing its Vendor Response XML File format/schema to meet NATF software supply chain vetting requirements for NERC CIP-013-1 and CIP-010-3 standards. This consistent, easy to use, Response File format helps both customers and vendors by eliminating the varied, and numerous supply chain questionnaires that software vendors are receiving. A software consumer downloads the vendors XML Response File in the standard format provided by REA and can store the information provided in an evidence locker, for use during NERC audits and during vendor due diligence proceedings and contract negotiations. The open source , free to use, XML Response File schema, an example Vendor Response XML and a Known Vulnerability Disclosure statement are all available on GitHub
The 1.1.2 release of SAG-PM™ also introduces SAG-CTR™, The Software Assurance Guardian™ (SAG™) Community Trust Registry (SAG-CTR™), where parties declare their trust in a software package and digital signature combination where other community members can view these trust declarations. SAG-CTR™ data is a key contributing factor in the statistically calculated SAGScore™, indicating a level of Trustworthiness. Software products that achieve a critical mass of community trust declarations in SAG-CTR™ are eligible to proudly display the "SAG-STAR™" emblem, indicating a high level of community trust in their product.
An Energy Central PowerTalk session on 5/6/2021 is now available on demand which includes a demonstration of the SAG-PM ™ software supply risk assessment 7 step process and evidence file reporting with an emphasis on overcoming known flaws in NERC ERO approved guidance to verify software source identification and integrity verification for NERC CIP-010-3 Part 1.6 regulations.
A SAG-PM ™ presentation that was delivered at the OWASP BSides CT meeting on 11/14/2020, is now available online that describes the patented 7-step software supply chain risk assessment a video recording of the event is also available
An Energy Central Powersession was conducted on 8/12/2020 that goes into detail of the SAG-PM™ software supply chain risk assessment process. Now available on demand
The patented (US11,374,961) Software Assurance Guardian™ product line has been updated with the first of its kind SAG Point Man™ software application, also known as SAG-PM™. SAG-PM™ has been developed to help protect companies from vulnerable software objects and untrustworthy parties that may have compromised the integrity of a software supply chain, preventing the installation of bad, harmful software into an operational system. SAG-PM performs seven critical investigative steps on a software object's installation file as part of a comprehensive software supply chain risk assessment process that calculates a SAGScore™, indicating a level of Trustworthiness for the software object itself and parties serving roles within the software supply chain. These seven steps implement best practices to augment NERC CIP-010-3 using the NIST Cybersecurity Framework V1.1, as suggested by FERC in its 6/18/2020 cybersecurity White Paper, from each of their respective, ID.RA, ID.RM and ID.SC NIST functions:
- Source Server Location and SSL Certificate Validation against "accredited Certificate Authorities" and Software Source vendor supplied information
- Perform a provenance check by evaluating the path used to acquire a software object for possible man-in-the-middle attacks, blacklisted sites and geographic locations that may belong to entities hostile to the United States
- Introspection of a software object's installation package resulting in a Software Bill of Materials (SBOM) that is used to identify potential risk, in order to determine the trustworthiness of a software object
- Extensive vulnerability scan using known and trustworthy Vulnerability Databases, such as NIST NVD
- Verification of Vendor credentials and processes to ensure that each vendor in the supply chain has been properly vetted and approved as implementing trustworthy business practices and control procedures to protect against any type of taint that may impact a software objects trustworthiness
- Verification of digitally signed software installation packages to ensure that no changes have occurred since the object was signed. Verifies the trust relationship between an SBOM Software Supplier and a party authorized by the software supplier to apply a digital signature on a software package on their behalf.
- Perform a comprehensive malware scan of the software installation package using Microsoft Defender, as the default scanner and the suite of VirusTotal malware scanning service as an option
The process concludes with a statistically calculated trustworthiness score, called a SAGScore™, indicating a trustworthiness level based on the results of these seven investigative steps. All results are stored in a an evidence file for posterity and may be presented to auditors or forensic personnel. A proof of verification record is also generated, for insertion into a Change Management System, as required by NERC CIP-010-3 R1, Part 1.6 for evidence of compliance.
Never trust software, always verify and report!™
Contact us today to arrange your demonstration of SAG Point Man™.
All Logos are Trademarks of Reliable Energy Analytics LLC
