RELIABLE ENERGY ANALYTICS (REA)

Reliable Energy Analytics LLC (REA™) supplies industries and government agencies with NIST compliant cybersecurity software supply chain risk management ( C-SCRM / CSCRM ) software to meet Executive Order 14028 requirements using NTIA Software Bill of Materials (SBOM) artifacts. The patented SAG™ Methods and SAGScore™ trust score for app stores (US 11374961) and Software Assurance Guardian™ (SAG™) Point Man™ (SAG-PM™) software supply chain risk assessment application has continue... d to evolve and improve, and now stands at version 1.1.8, with support for both SPDX and CycloneDX SBOM formats. SAG-PM™ has been developed to help protect small and medium sized companies from malicious software objects and untrustworthy parties that may have compromised the integrity of a software supply chain, preventing the installation of bad, harmful software, i.e. ransomware, into an operational system. REA has become the de-facto testing partner for the NTIA SBOM community, serving in the role of a software consumer for SBOM interoperability testing with numerous software vendors. REA is an IEEE Entrepreneurship Program Member and an Amazon Web Services (AWS) Activate Company. REA is an active Member of the DHS CISA ICT_SCRM Task Force, Small and Medium Business Work Group developing tools to help small and medium businesses secure their software supply chains and prevent the installation of ransomware and other malware. Never trust software, always verify and report!™ SAG-PM™performs a patented (US 111372961) software supply chain risk assessment process containing seven critical investigative steps on a software object's installation file as part of a comprehensive software supply chain risk assessment process that calculates a SAGScore™, indicating a level of Trustworthiness for the software object itself and parties serving roles within the software supply chain. A SAGScore™ is conceptually similar to a FICO Score, but for software trustworthiness of a software object to perform as expected. When applied to apps on app stores the SAGScore™ gives a software consumer visibility into the trustworthiness of each app, which can help consumers decide which app to install from a set of search results, based on the highest SAGScore™. These seven steps implement best practices to augment NERC CIP-010-3 software verification standards by applying the NIST Cybersecurity Framework V1.1 and the NTIA Software Bill of Materials (SBOM) standards recognized by the Department of Commerce NTIA SBOM initiative. The May 12, 2021 Cybersecurity Executive Order, 14028, mandates that Federal Agencies and Departments require all software vendors of critical software to provide SBOM's as part of their software product distributions. An SBOM will enable Federal buyers of software products to conduct a software risk assessment, using SAG-PM™, to determine the trustworthiness of a software package, prior to installation. This "proactive" risk assessment can detect harmful malware, such a ransomware and other nefarious software, preventing it from being installed in a digital ecosystem, where it can cause damages. The process concludes with a statistically calculated trustworthiness score, called a SAGScore™, indicating a trustworthiness level based on the results of these seven investigative steps. All results are stored in an evidence file for posterity and may be presented to auditors or forensic personnel. A proof of verification record is also generated, for insertion into a Change Management System, as required by NERC CIP-010-3 R1, Part 1.6 for evidence of compliance. An AWS cloud based SAGServer™ provides database and other support services to the SAG-PM™ software application, including a List of Trusted Software Objects in the SAG-CTR™ Community Trust Registry, that have been digitally signed, which the SAG-PM™ user community has identified as trustworthy. Software products that receive multiple trust registrations from the SAG-PM™ end user community can receive the SAG-STAR™ label to indicate their high level of trustworthiness. REA has open-sourced its, free to use, Vendor Response File Format and Vulnerability Disclosure Report XML schemas to help software vendors and consumers exchange critical information required to meet Executive Order 14028 and the new "SBOM Bill" making its way through Congress, H.R. 4611; A sample use case showing all required evidence data for a comprehensive risk assessment is available online at: https://github.com/rjb4standards/REA-Products/tree/master/C-SCRM-Use-Case open source XML VRF and NIST Vulnerability Disclosure Report (VDR) schemas are available here: https://github.com/rjb4standards/REA-Products REA is a proud member of the IEEE Entrepreneurship program and an Amazon Web Service (AWS) Activate partner. Never trust software, always verify and report!™More