In 2021, President Joe Biden signed an Executive Order which includes several mandates for strengthening cybersecurity through regulation, reporting, and oversight. The Executive Order requires developers to provide a software bill of materials (SBOM). The SBOM will bring more transparency to software, informing users of the components that the solution contains and their supply chain relationships. If a vulnerability is discovered, software vendors, resellers, and users can immediately take action to remediate it and prevent an attack.
Since President Biden signed the Executive Order, industry leaders continued their work to meet the challenge of codifying the SBOM. The concept wasn’t entirely new. Enterprises may have requested information on open-source or third-party components used to build the software they implemented as a part of a security review. However, as of 2021, there was no definitive, industry-wide guidance on how to create and maintain an SBOM.
Where to Find the Latest SBOM Information
These resources will keep you informed of progress toward the standard and help you devise your plan for complying with the SBOM requirements:
Begin with the language of the Executive Order itself, specifically in Section 10 (j). This section points out, “A widely used, machine-readable SBOM format allows for greater benefits through automation and tool integration.”
The Executive Order also states that SBOMs will be more valuable if stored in a repository that other systems and applications can query. This quick access to information can facilitate analyzing vulnerabilities and managing risk.
The National Telecommunications and Information Administration (NTIA) began work on SBOM guidance in 2018, bringing stakeholders together to “formulate and establish” a software bill of materials.
NTIA published a series in 2021 documenting its work, noting at that time that the “government and industry are taking up the cause.
One of the assets available from NTIA is Framing Software Component Transparency: Establishing a Common Software Bill of Materials (SBOM) – (2021), which lists the elements of an SBOM. According to this document, software bills of materials should include:
- The author’s name
- Time stamp for the last update
- The supplier’s name
- Component name or identifier
- Version string of the component
- Cryptographic has of the component
- Component unique identifier
- Relationship between SBOM components
It also maps these baseline attributes to existing formats, i.e., SPDX, CycloneDX, and SWID, details component relationships, and outlines SBOM creation.
NTIA has compiled an SBOM playlist of videos that range from introductory videos to use cases, guidance for the energy sector, and NTIA SBOM meetings.
On the National Institute of Standards and Technology (NIST) SBOM page, you’ll find an illustration of how to create and maintain an SBOM over the software lifecycle. This resource shows which phase of the development process specific parts of SBOM creation or updates should occur.
The Cybersecurity and Infrastructure Security Agency (CISA) shares its commitment to SBOM standards through community engagement and development, focusing on use cases, tools, and technologies.
CISA points out that Vulnerability Exploitability eXchange (VEX) is an “SBOM-related concept.” A VEX document communicates whether a product is impacted by any known vulnerabilities. CISA invites developers to receive updates or participate in VEX-related efforts.
CISA will also provide summaries of past SBOM Events, including the eight SBOM Listening Sessions Held in 2022.
CISA SBOM weekly Workstreams, with the goal of educating the software and security communities about SBOM creation, use, and implementation are scheduled for:
- Cloud and Online applications: Wednesdays, 3-4 p.m. ET
- On-Ramps and Adoption: Tuesdays, noon to 1 p.m. ET
- Sharing and Exchanging: Mondays, noon to 1 p.m. ET
- Tooling and Implementation: Thursdays, 3-4 p.m. ET
Contact SBOM@cisa.dhs.gov for information on how to join or receive updates.
SBOM standards development is a work in progress, so be sure to request updates, check these sites frequently for updates, and begin plans for how your business will comply with this mandate.