SAG-PM™ is designed and priced to help small and medium businesses with limited cybersecurity staff and budgets implement software supply chain best practices
WESTFIELD, MA, USA, November 8, 2021 /EINPresswire.com/ — Reliable Energy Analytics, LLC (REA) is pleased to announce the release of SAG-PM™ version 1.1.5 with support for an open source, free to license, Vulnerability Disclosure Report (VDR), which software vendors provide to customers listing all known NIST NVD vulnerabilities in their product, Software Bill of Materials (SBOM). Legislation is making its way through Congress, H.R. 4611, requiring software vendors with new and existing contracts with the Department of Homeland Security (DHS) to supply DHS with an SBOM and a Vulnerability Disclosure. The legislation passed the House of Representatives on October 20, 2021 with a vote of 412-2 and is currently under study by the Senate Committee on Homeland Security and Governmental Affairs.
This release of SAG-PM™ can be used by software vendors to satisfy H.R. 4611 requirements by creating a baseline Vulnerability Disclosure Report (VDR) based on a product’s SBOM data. This enables a software vendor to examine each NIST NVD reported vulnerability, at the SBOM component level within a VDR, which can then be assessed for any risk impact that may be present. The vendor updates each reported vulnerability in this baseline VDR document with information pertaining to Fix Status and Risk Impact, before sending the completed VDR to a customer. A software vendor notifies their customers when and where the completed VDR is available for download, usually located on an access-controlled customer portal owned by the software vendor.
SAG-PM™ will automatically download a software vendors VDR as part of a customer initiated, NIST compliant Cybersecurity Supply Chain Risk Management (C-SCRM) risk assessment and will use the VDR information during the NIST NVD search step of the risk assessment to flag any known vulnerabilities that have been disclosed by the vendor, as well as new vulnerabilities that may not have been disclosed by the vendor. This level of detail regarding known and unknown vulnerabilities gives customers greater insight into the real risk that may be present in a software product, to prevent the painful effects of ransomware and other malware, before any attempt to install or use a software product.
REA’s open-source, free to use, Vendor Response File (VRF) and Vulnerability Disclosure Report (VDR), combined with a vendor supplier Software Bill of Materials (SBOM) provide software customers with all the information they need to perform a comprehensive software supply chain risk assessment to detect and prevent harmful software from being installed, while also preserving all of the evidence data required during a NERC Cybersecurity audit for CIP-010-3 and CIP-013-1.
REA’s open source VDR is a complementary superset of the information contained in an NTIA Vulnerability Exchange document (VEX), which is used to report on vulnerabilities only; VEX does not report information on SBOM components that have no NIST NVD vulnerabilities. A VDR contains the vulnerability status for all SBOM components, those with known vulnerabilities, just like VEX, and those with no reported vulnerabilities, providing a complete vulnerability disclosure for an entire SBOM.
SAG-PM™ version 1.1.5 was designed to help small and medium businesses with limited cybersecurity staff and budgets implement software supply chain best practices to detect and prevent the installation of malware. SAG-PM™ is offered as a subscription service with prices ranging from $300/monthly for 50 risk assessments to $1,800/yearly for 600 risk assessments.
REA is a proud IEEE Entrepreneurship Program Participant and an Amazon Web Services (AWS) Activate partner. Never trust software, always verify and report! ™
Reliable Energy Analytics LLC
Source: EIN Presswire