Experts say the software supply chain is at the heart of critical infrastructure security, and the executive order is a step forward in shoring up vulnerabilities.
"You can't protect what you can't see. And too many organizations don't have a full picture of what's inside their software. Most aren't even looking," Brian Fox, chief technology officer at Sonatype, said in a statement. The company develops software to help manage supply chain security.
Software security requires "full visibility to all of the code in an application. An SBOM is the only way to do this," Fox said.
SBOMs indicate what components are in a piece of software, allowing end users to track and patch vulnerabilities. EEI and NATF have been working with the U.S. Department of Commerce's National Telecommunications and Information Administration (NTIA) and the Department of Energy's Idaho National Laboratory, launching a proof of concept program for the energy sector to utilize SBOMs.
The order "clearly acknowledges the value of government-industry partnership," EEI President Tom Kuhn said in a statement, adding that the group supports improving coordination "across government and with the private sector."
"We have long maintained that grid security is a shared responsibility," Kuhn said.