On December 4th, 2014, U.S. Congressional Representatives Ed Royce (R-CA) and Lynn Jenkins (R-KS) introduced H.R. 5793, the “Cyber Supply Chain Management and Transparency Act of 2014.” The proposed cyber supply chain legislation will ensure that any organization selling software, firmware or products to the federal government provide a bill of materials of all third party and open source components used, and demonstrate that those component versions have no known vulnerabilities.
Anything (HW/SW/FW) sold to a procuring entity must provide a Bill of Materials of 3rd Party and Open Source Components (along with their Versions) …
… and cannot use known vulnerable components for which a less vulnerable component is available (without a written and compelling justification accepted by procuring entity ) …
… and must be patchable/updateable – as new vulnerabilities will inevitably be revealed (within a reasonable timeframe).
Sonatype CEO, Wayne Jackson, is one of the world’s foremost authorities on open source software supply chain risks and a leading advocate of reform. "We would not be willing to use a known bad airbag in our cars. We would not knowingly serve E.coli-tainted spinach in our salads. And we can not afford to include known exploitable software in our government infrastructure" says Wayne Jackson, CEO, Sonatype, Inc.
The bill was sponsored by U.S. Congressional Representatives Ed Royce (R-CA) and Lynn Jenkins (R-KS) In his introductory remarks before Congress, Congressman Ed Royce (R-CA) said "With around ninety percent of a modern software application made up of open source components, the problem of deployed software containing open source components with known vulnerabilities is one of great concern. The nation's economy needs open source software development and applications built with it. It is precisely because of the importance of open source components to modern software development, that we need to ensure integrity in the open source supply chain, so vulnerabilities are not populated throughout the hundreds of thousands of software applications that use open source components."
As a free community service, Sonatype offers a proprietary application analysis tool you can use to assess your use of open source components in a matter of minutes.
Sonatype helps organizations build better software, even faster. Like a software supply chain, applications are built by assembling open source and third party components streaming in from a wide variety of public and internal sources. While re-use is far faster than custom code, the flow of components into and through an organization remains complex and inefficient. Sonatype’s Nexus platform applies proven supply chain principles to increase speed, efficiency and quality by optimizing the component supply chain. Sonatype has been on the forefront of creating tools to to improve developer efficiency and quality since the inception of the Central Repository and Apache Maven in 2001, and the company continues to serve as the steward of the Central Repository serving 17.2 Billion component download requests in 2014 alone.