Critical infrastructure
Industries
News

NTIA releases report on minimum elements for a Software Bill of Materials

July 13, 2021
elements for a Software Bill of Materials

The National Telecommunications and Information Administration (NTIA) of the U.S. Department of Commerce published on Monday a report on the minimum elements for a Software Bill of Materials (SBOM). This report is intended to serve as a foundation for continued collaboration and public-private partnerships to refine and operationalize SBOM work. The NTIA is an executive branch agency that is principally responsible for advising the U.S. President on telecommunications and information policy issues. 

The report identifies an SBOM as a formal record containing the details and supply chain relationships of various components used in building software. In addition to establishing minimum elements, the report defines the scope of how to think about minimum elements, describes SBOM use cases for greater transparency in the software supply chain, and lays out options for future evolution.

The minimum constituent parts of an overall SBOM – referred to as elements – are three broad, inter-related areas, made up of data fields, automation support and practices and processes, which support basic SBOM functionality. These elements will serve as the foundation for an evolving approach to software transparency, and enable an evolving approach to software transparency, capturing both the technology and the functional operation. Subsequent releases will incorporate more detail or technical advances. 

The three categories of elements of the SBOM include data fields, automation support, and practices and processes. Data fields document baseline information about each component that should be tracked, while adopting sufficient identification of these components to track them across the software supply chain.  Automation support, including automatic generation and machine readability, allows for scaling across the software ecosystem particularly across organizational boundaries.

The final element of the SBOM consists of practices and processes, as the SBOM is more than a structured set of data that must be integrated into the operations of the secure development life cycle that an organization should follow to focus on the mechanics of SBOM use. It also defines the operations of SBOM requests, generation and use. 

An SBOM provides those who produce, purchase, and operate the software with information that enhances their understanding of the supply chain, which enables multiple benefits, most notably the potential to track known and newly emerged vulnerabilities and risks. 

Though an SBOM won’t solve all software security problems, it offers the potential to track known newly emerged vulnerabilities and risks, NTIA said. “SBOM will not solve all software security problems, but will form a foundational data layer on which further security tools, practices, and assurances can be built,” according to the NTIA report

The minimum elements for a Software Bill of Materials will enable basic use cases, such as management of vulnerabilities, software inventory, and licenses. The report also looks at recommended SBOM features and advances that go beyond the minimum elements, including key security features and tracking more detailed supply chain data.

The report builds on the work of NTIA’s SBOM multi-stakeholder process, as well as the responses to a request for comments issued in June. NTIA also looks forward to a conversation on recommended SBOM features and advances beyond the minimum elements for a Software Bill of Materials that may be seen as priorities for further work. This includes key security features such as SBOM integrity, as well as tracking more detailed supply chain data. As additional SBOM elements become feasible, tested, and built into tools, they will enable broader use cases. Some of these aspirational elements are being implemented or have already shown great potential. 

The publication of the report comes in response to U.S. President Joe Biden’s Executive Order (14028) on ‘Improving the Nation’s Cybersecurity’ in May. Following the cybersecurity incident by ransomware attackers on the Colonial Pipeline, the presidential action identified, among other things, SBOM as a priority for the administration and other stakeholders to drive software assurance and supply chain risk management.   

The U.S. administration said in its May order, “the trust we place in our digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is.” In the modern world, software systems involve complex, dynamic — and, too often, obscure — supply chains. “Bringing transparency to the components and connections within and across supply chains is important to discovering and addressing the weak links in those chains. SBOMs are a critical step toward securing the software supply chain. Without them, a lack of transparency into the contributors, composition, and functionality of these systems contributes substantially to cybersecurity risks and increases costs of development, procurement, and maintenance,” according to the NTIA report.

Cybersecurity expert Dale Peterson expects that a new competitor for mindshare are the supply chain / SBOM vendors, while detection still has at least a two to three-year window as the dominant solution in terms of spend, as creating SBOMs is one of the easier parts of the solution. 

“Most asset owners can’t leverage the basic asset inventory the OT detection solutions create, let alone the expansion SBOM level detail would provide. It’s likely the detection solutions will try to extend their asset inventory and vulnerability management claims and import SBOMs,” Peterson wrote in a LinkedIn post.

Last month, the National Institute of Standards and Technology (NIST) issued a white paper providing a definition of critical software. The definition preliminarily includes operating systems, web browsers, hypervisors, endpoint security tools, identity and access management applications, network monitoring tools, backup, recovery, and remote storage tools, and other categories of software. 

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
Waterfall’s WF-600 unidirectional security gateway brings 'unbreachable protection' to OT/ICS networks
Waterfall, 2TS enter into cybersecurity alliance for African market
Honeywell’s 2024 USB Threat Report reveals significant rise in malware frequency, highlighting growing concerns
Honeywell’s 2024 USB Threat Report reveals significant rise in malware frequency, highlighting growing concerns
CISA declares winners of President’s Cup cybersecurity competition, with Artificially Intelligent team leading
CISA declares winners of President’s Cup cybersecurity competition, with Artificially Intelligent team leading
Enhancing industrial cybersecurity by tackling threats, complying with regulations, boosting operational resilience
Enhancing industrial cybersecurity by tackling threats, complying with regulations, boosting operational resilience
MITRE confirms breach on NERVE network, suspected foreign nation-state actor involved
MITRE confirms breach on NERVE network, suspected foreign nation-state actor involved
Radiflow helps customers achieve NIS2 compliance, spurring growth in Europe
Radiflow, Exclusive Networks partner to elevate OT cybersecurity
MITRE plans to enhance cybersecurity in 2024 with ICS sub-techniques and multi-domain integration
MITRE plans to enhance cybersecurity in 2024 with ICS sub-techniques and multi-domain integration
New bill introduced to set up Water Risk and Resilience Organization to secure water systems from cyber threats
New bill introduced to set up Water Risk and Resilience Organization to secure water systems from cyber threats
CISA, FBI, Europol, and NCSC-NL issue joint cybersecurity advisory on Akira ransomware threats
CISA, FBI, Europol, and NCSC-NL issue joint cybersecurity advisory on Akira ransomware threats