NIST Supply Chain Integrity Initiative
Type: Initiative
ID: SP-800-53
Version: 1.0.0
Bundle-Version: v2
Source: v2/initiatives/sp-800-53.yaml
Help: https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final
This initiative enforces key supply chain requirements from NIST SP 800-53. It mandates that container builds include:
- A Software Bill of Materials (SBOM) to ensure component inventory and traceability, addressing requirements from SR-4 and CM-8.
- Provenance data to support architectural traceability, as outlined in SA-8. Both the SBOM and the provenance artifacts must be cryptographically signed to meet integrity requirements specified in SA-12.
Controls Overview
| Control Name | Control Description | Mitigation |
|---|---|---|
| [SR4_CM8] SBOM Requirement | Enforce that every container build includes a Software Bill of Materials (SBOM), ensuring that all components are inventoried and traceable. This requirement addresses both SR-4 and the component inventory aspects of CM-8. | Ensures complete visibility into container components, reducing the risk of unvetted or vulnerable code entering the supply chain. |
| [SA8] Provenance Requirement | Enforce that every container build includes provenance data, supporting traceability within the security architecture as required by SA-8. | Provides a clear audit trail of the build process, mitigating risks related to unidentified or untraceable changes. |
| [SA12] SBOM Signature Enforcement | Enforce that the SBOM is cryptographically signed to verify its integrity and authenticity, aligning with SA-12 requirements. | Prevents unauthorized modifications by ensuring that only signed SBOMs are accepted. |
Evidence Defaults
| Field | Value |
|---|---|
| signed | False |
Detailed Controls
[SR4_CM8] SBOM Requirement
Enforce that every container build includes a Software Bill of Materials (SBOM), ensuring that all components are inventoried and traceable. This requirement addresses both SR-4 and the component inventory aspects of CM-8.
Mitigation
Ensures complete visibility into container components, reducing the risk of unvetted or vulnerable code entering the supply chain.
Rules
| Rule ID | Rule Name | Rule Description |
|---|---|---|
| require-sbom | Require SBOM | Ensure an SBOM is provided for all container builds. |
| image-labels | Verify Supply Chain Labels | Confirm that container images include required opencontainers labels: |
| NTIA-compliance | NTIA SBOM Compliance Check | Verifies that the SBOM includes valid authors and supplier data following NTIA guidelines. Optionally enforces a required_author and required_supplier if provided. |
[SA8] Provenance Requirement
Enforce that every container build includes provenance data, supporting traceability within the security architecture as required by SA-8.
Mitigation
Provides a clear audit trail of the build process, mitigating risks related to unidentified or untraceable changes.
Rules
| Rule ID | Rule Name | Rule Description |
|---|---|---|
| SLSA.L1 | Require Provenance | Ensure provenance data is present for container builds. |
[SA12] SBOM Signature Enforcement
Enforce that the SBOM is cryptographically signed to verify its integrity and authenticity, aligning with SA-12 requirements.
Mitigation
Prevents unauthorized modifications by ensuring that only signed SBOMs are accepted.
Rules
| Rule ID | Rule Name | Rule Description |
|---|---|---|
| require-sbom | Signed SBOM Requirement | Validate that the SBOM is cryptographically signed. |
| SLSA.L2 | Signed Provenance Requirement | Validate that the provenance data is cryptographically signed. |