Spotlight:

Cyber Supply Chain Act

Cyber Supply Chain Management and Transparency Act of 2014

On December 4th, 2014, U.S. Congressional Representatives Ed Royce (R-CA) and Lynn Jenkins (R-KS) introduced H.R. 5793, the “Cyber Supply Chain Management and Transparency Act of 2014.” The proposed cyber supply chain legislation will ensure that any organization selling software, firmware or products to the federal government provide a bill of materials of all third party and open source components used, and demonstrate that those component versions have no known vulnerabilities.

Read the Sonatype news release

The Goal of the Cyber Supply Chain Act

Bill of Materials

Anything (HW/SW/FW) sold to a procuring entity must provide a Bill of Materials of 3rd Party and Open Source Components (along with their Versions) …

Hygiene and Avoidable Risk

… and cannot use known vulnerable components for which a less vulnerable component is available (without a written and compelling justification accepted by procuring entity ) …

Remediation

… and must be patchable/updateable – as new vulnerabilities will inevitably be revealed (within a reasonable timeframe).

Read the complete bill H.R. 5793

Deeper Insight Into the Software Supply Chain Problem

Sonatype CEO, Wayne Jackson, is one of the world’s foremost authorities on open source software supply chain risks and a leading advocate of reform. "We would not be willing to use a known bad airbag in our cars. We would not knowingly serve E.coli-tainted spinach in our salads. And we can not afford to include known exploitable software in our government infrastructure" says Wayne Jackson, CEO, Sonatype, Inc.

Learn more about the cyber software supply chain

The Bill Sponsors

The bill was sponsored by U.S. Congressional Representatives Ed Royce (R-CA) and Lynn Jenkins (R-KS) In his introductory remarks before Congress, Congressman Ed Royce (R-CA) said "With around ninety percent of a modern software application made up of open source components, the problem of deployed software containing open source components with known vulnerabilities is one of great concern. The nation's economy needs open source software development and applications built with it. It is precisely because of the importance of open source components to modern software development, that we need to ensure integrity in the open source supply chain, so vulnerabilities are not populated throughout the hundreds of thousands of software applications that use open source components."

Read the News Release from Royce's Office

What's Next?

Free Tool Checks Federal Software Applications for Open Source Vulnerabilities.

As a free community service, Sonatype offers a proprietary application analysis tool you can use to assess your use of open source components in a matter of minutes.

  • Confidentially and quickly analyze your open source components
  • Create a "bill of materials" inventory of precisely which components are used and where
  • Identify specific security, quality and license risks
  • Analyze both internal and third party applications
  • Ideal for Cyber Supply Chain Act initiatives

Learn More & Start Your Analysis

About Sonatype

Sonatype helps organizations build better software, even faster. Like a software supply chain, applications are built by assembling open source and third party components streaming in from a wide variety of public and internal sources. While re-use is far faster than custom code, the flow of components into and through an organization remains complex and inefficient. Sonatype’s Nexus platform applies proven supply chain principles to increase speed, efficiency and quality by optimizing the component supply chain. Sonatype has been on the forefront of creating tools to to improve developer efficiency and quality since the inception of the Central Repository and Apache Maven in 2001, and the company continues to serve as the steward of the Central Repository serving 17.2 Billion component download requests in 2014 alone.

Learn more or Contact us