Skip to main content

NIST Supply Chain Integrity Initiative

Type: Initiative
ID: SP-800-53
Version: 1.0.0
Bundle-Version: v2
Source: v2/initiatives/sp-800-53.yaml
Help: https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final

This initiative enforces key supply chain requirements from NIST SP 800-53. It mandates that container builds include:

  • A Software Bill of Materials (SBOM) to ensure component inventory and traceability, addressing requirements from SR-4 and CM-8.
  • Provenance data to support architectural traceability, as outlined in SA-8. Both the SBOM and the provenance artifacts must be cryptographically signed to meet integrity requirements specified in SA-12.

Required Evidence

This initiative requires the following evidence types:

Evidence Defaults

FieldValue
signedFalse

Rule Parameters

To configure this initiative for your organization needs, the following parameters should be specified:

  • [SR4_CM8] SBOM Requirement
    • Verify Supply Chain Labels
      • labels: array - A list of required labels.
        Default: ['org.opencontainers.image.created', 'org.opencontainers.image.revision', 'org.opencontainers.image.source', 'org.opencontainers.image.version', 'org.opencontainers.image.licenses'].
    • NTIA SBOM Compliance Check
      • required_author: object - The required author (case-insensitive match for name/email).
      • required_supplier: object - The required supplier (case-insensitive match for supplier name).

Controls Overview

Control NameControl DescriptionMitigation
[SR4_CM8] SBOM RequirementEnforce that every container build includes a Software Bill of Materials (SBOM), ensuring that all components are inventoried and traceable. This requirement addresses both SR-4 and the component inventory aspects of CM-8.Ensures complete visibility into container components, reducing the risk of unvetted or vulnerable code entering the supply chain.
[SA8] Provenance RequirementEnforce that every container build includes provenance data, supporting traceability within the security architecture as required by SA-8.Provides a clear audit trail of the build process, mitigating risks related to unidentified or untraceable changes.
[SA12] SBOM Signature EnforcementEnforce that the SBOM is cryptographically signed to verify its integrity and authenticity, aligning with SA-12 requirements.Prevents unauthorized modifications by ensuring that only signed SBOMs are accepted.

Detailed Controls

[SR4_CM8] SBOM Requirement

Enforce that every container build includes a Software Bill of Materials (SBOM), ensuring that all components are inventoried and traceable. This requirement addresses both SR-4 and the component inventory aspects of CM-8.

Mitigation

Ensures complete visibility into container components, reducing the risk of unvetted or vulnerable code entering the supply chain.

Rules

Rule IDRule NameRule Description
require-sbomRequire SBOMEnsure an SBOM is provided for all container builds.
image-labelsVerify Supply Chain LabelsConfirm that container images include required opencontainers labels:
NTIA-complianceNTIA SBOM Compliance CheckVerifies that the SBOM includes valid authors and supplier data following NTIA guidelines. Optionally enforces a required_author and required_supplier if provided.

[SA8] Provenance Requirement

Enforce that every container build includes provenance data, supporting traceability within the security architecture as required by SA-8.

Mitigation

Provides a clear audit trail of the build process, mitigating risks related to unidentified or untraceable changes.

Rules

Rule IDRule NameRule Description
SLSA.L1Require ProvenanceEnsure provenance data is present for container builds.

[SA12] SBOM Signature Enforcement

Enforce that the SBOM is cryptographically signed to verify its integrity and authenticity, aligning with SA-12 requirements.

Mitigation

Prevents unauthorized modifications by ensuring that only signed SBOMs are accepted.

Rules

Rule IDRule NameRule Description
require-sbomSigned SBOM RequirementValidate that the SBOM is cryptographically signed.
SLSA.L2Signed Provenance RequirementValidate that the provenance data is cryptographically signed.