NTIA Launches Software Transparency Initiative, Seeking Stakeholder Participation
The Department of Commerce’s National Telecommunications and Information Administration (NTIA) is kicking off the third in a series of multistakeholder efforts targeting cybersecurity and the Internet of Things (IoT). NTIA is the Executive Branch agency responsible by law for advising the President on telecommunications and information policy issues and is engaged with global technology policy on behalf of the United States.
Such multistakeholder proceedings are often cited as evidence that prescriptive regulation is not necessary or appropriate. Time will tell if this proceeding bears fruit and advances security discussions. Much of the outcome depends on what interests and organizations show up to participate.
This initiative will look at whether and how increased disclosures and transparency related to software components can help with lifecycle management of IoT devices and security more broadly. One idea that has been raised is to develop a software bill of materials.
Administrator Redl notes, “[t]hrough an open, transparent, and consensus-based process, NTIA will work to identify how software component data can be shared, what practices can be easily and voluntarily adopted, and what policy and market challenges should be addressed by the broad community.”
As with similar NTIA multistakeholder activities on cybersecurity and tech, the participants will determine the appropriate scope and goals. And scoping will be critical. If NTIA casts too wide a net, the work product may not be useful, but if the agency drills down into industry verticals or use cases, they may not get broad participation.
Several fundamental questions remain unclear, including what gaps exist in the market that this effort can cure.
NTIA states the objectives of the first meeting are to:
Share the perspectives and concerns of both the vendor and enterprise customer communities;
Discuss and acknowledge what is already working;
Explore obstacles and challenges for greater transparency and better risk decisions;
Identify promising areas of potential collaboration;
Engage stakeholders in a discussion of logistical issues, including internal structures such as a small drafting committee or various working groups, and the location and frequency of future meetings; and
Identify concrete goals and stakeholder work following the first meeting.
Prior efforts by NTIA resulted in guidance—on coordinated vulnerability disclosure programs, and a series of documents related to security patching and upgradability, including consumer disclosure practices.
Wiley Rein regularly works with NTIA and has participated in prior multistakeholder efforts. We look forward to engaging on the forthcoming software component transparency initiative, and are happy to answer any questions about the process and the wisdom of particular entities engaging with NTIA.