Government , Industry Specific , Software Bill of Materials (SBOM)
CISA Aiming to Improve SBOM Implementation With New Guidance
US Cyber Agency Issues Step-by-Step Guide to Build Software Bills of MaterialsThe U.S. Cybersecurity and Infrastructure Security Agency says software producers should follow a set of step-by-step instructions for creating software bills of materials as part of an effort to improve supply chain security.
See Also: Making Sense of FedRAMP and StateRAMP
The cyber defense agency published guidance Friday on building an SBOM for an assembled group of products.
The guidance includes the technical requirements for building SBOMs, which are the critical inventory lists that support effective risk mitigation strategies across software supply chains. CISA also recommended that software manufacturers include additional measures for added transparency, such as providing available identifiers for product components when appropriate and including the hash for any artifact associated with various software components.
A White House executive order from 2021 requires agencies to implement SBOMs when developing or procuring software. Often compared to ingredient lists for food products, SBOMs provide information about a software product's components, dependencies and third-party libraries (see: Experts Urge Congress to Establish Clear SBOM Guidance).
CISA has been working to implement SBOMs as a key component of software security and supply chain risk management across the federal government for years, despite many agencies struggling to build and benefit from the inventory lists in federal information technology contracts with software manufacturers. In 2023, the agency launched an SBOM-a-rama event designed to help the software and security communities understand the importance of SBOMs and gain further insights into community-led work on SBOMs.
The agency in April published a report detailing the different phases of the SBOM-sharing life cycle to assist the public and private sectors in choosing solutions that help provide further transparency and information sharing between software manufacturers and consumers.
In its Friday guidance, CISA said the creator of an SBOM for a product line must follow five steps:
- Determine an identifier to use.
- Determine a versioning system to use with that identifier.
- List all the product's components that are being distributed together as a group.
- Provide a version number for each component.
- Provide a reference to the build SBOM that generated each component image included in the product group as part of the PLB-SBOM.