In 2021, President Joe Biden signed an executive order that includes multiple mandates to strengthen cybersecurity through regulation, reporting, and oversight. The decree requires developers to provide a software nomenclature (SBOM). SBOM will bring more transparency to software, informing users of the components contained in the solution and their relationship to the supply chain. If a vulnerability is discovered, software vendors, resellers, and users can immediately take steps to fix it and prevent an attack.
Since President Biden signed the executive order, industry leaders have continued their work to address the challenge of codifying SBOM. The concept was not entirely new. Companies may have requested information about the open source or third-party components used to create the software they implemented as part of a security review. However, as of 2021, there were no definitive industry-wide guidelines on how to create and maintain an SBOM.
Where to find the latest SBOM information
These resources will keep you informed of progress towards the standard and help you design your plan to comply with SBOM requirements:
- Executive Order 14028, Improving the Nation’s Cybersecurity
Start with the language of the executive order itself, particularly in section 10(j). This section points out that “a widely used, machine-readable SBOM format offers greater benefits through automation and tool integration.”
The executive order also states that SBOMs will be more useful if stored in a repository that other systems and applications can query. This quick access to information can facilitate vulnerability analysis and risk management.
The National Telecommunications and Information Administration (NTIA) began work on the SBOM guidelines in 2018, bringing together stakeholders to “formulate and establish” a software nomenclature.
The NTIA released a series in 2021 documenting its work, noting at that time that “government and industry are taking the cause.
One of the assets available from the NTIA is Framing Software Component Transparency: Establishing a Common Software Bill of Materials (SBOM) – (2021), which lists the elements of an SBOM. According to this document, software nomenclatures must include:
- The author’s name
- Timestamp of last update
- The supplier’s name
- Component name or identifier
- Component version string
- A cryptographic component
- Component unique identifier
- Relationship between SBOM components
It also maps these basic attributes to existing formats i.e. SPDX, CycloneDX and SWID, details the relationships between components and describes how to create SBOM.
- NTIA videos on YouTube
The NTIA has compiled an SBOM playlist of videos ranging from introductory videos to use cases, guidance for the energy industry, and NTIA SBOM meetings.
On the National Institute of Standards and Technology (NIST) SBOM page, you will find an illustration of creating and maintaining an SBOM throughout the software lifecycle. This resource shows which phase of the development process specific parts of SBOM creation or updates should take place.
The Cybersecurity and Infrastructure Security Agency (CISA) shares its commitment to SBOM standards through community engagement and development, focusing on use cases, tools, and technologies.
CISA points out that Vulnerability Exploitability eXchange (VEX) is a “concept related to SBOM”. A VEX document indicates whether a product is affected by known vulnerabilities. CISA invites developers to receive updates or participate in VEX-related efforts.
CISA will also provide summaries of past SBOM events, including the eight SBOM listening sessions held in 2022.
Weekly CISA SBOM workflows, with the goal of educating the software and security communities about creating, using, and implementing SBOM, are planned to:
- Cloud and online applications: Wednesdays, 3-4 p.m. ET
- Ramps and Adoption: Tuesdays, 12-1 p.m. ET
- Share and Exchange: Mondays, 12-1 p.m. ET
- Tooling and Implementation: Thursdays, 3-4 p.m. ET
Contact [email protected] to find out how to register or receive updates.
The development of SBOM standards is a work in progress, so be sure to ask for updates, check these sites frequently for updates, and start planning how your business will comply with this mandate.