Understanding the Cybersecurity Executive Order 14028

The more recent executive order (14028) calls for NIST to provide software supply chain regulations within one year. These guidelines will determine how organizations should check for vulnerabilities within applications. 

Why do I need to create an SBOM?

An SBOM is the only way to provide a comprehensive list of the software components that comprise your applications. With the Tidelift Subscription, you will not only know which open source components are in use within your organization, you'll also be able to check the health of those applications. This report includes information on open source licenses, vulnerabilities, and dependencies. 

Protecting your open source supply chain

Managing the security of your organization’s open source supply chain can be incredibly complex. Proprietary software like SolarWinds, which was involved in a recent hack, is created by a single supplier—but with open source software, there can be dozens of open source maintainers with commit privileges for a single component. Up to 70% of code that makes up the modern application is open source—and wrangling thousands of different suppliers can seem like an insurmountable task. With the Tidelift Subscription, you can easily generate a report that satisfies the new mandatory federal requirements.

On average it takes 3 days for a disclosed open source vulnerability to be exploited. If malicious code is injected into an open source package within your application, a breach could occur at deployment, giving developers zero time to react. This malicious code serves as a backdoor into your organization.  

Preventing malicious code injection starts at the source

Tidelift partners with your organization and the developers behind open source projects to proactively protect your open source supply chain upstream. This means the open source that runs 70% of your applications is protected and maintained at the source.