The National Telecommunications and Information Administration (NTIA) of the U.S. Department of Commerce published on Monday a report on the minimum elements for a Software Bill of Materials (SBOM). This report is intended to serve as a foundation for continued collaboration and public-private partnerships to refine and operationalize SBOM work. The NTIA is an executive branch agency that is principally responsible for advising the U.S. President on telecommunications and information policy issues.
The report identifies an SBOM as a formal record containing the details and supply chain relationships of various components used in building software. In addition to establishing minimum elements, the report defines the scope of how to think about minimum elements, describes SBOM use cases for greater transparency in the software supply chain, and lays out options for future evolution.
The minimum constituent parts of an overall SBOM – referred to as elements – are three broad, inter-related areas, made up of data fields, automation support and practices and processes, which support basic SBOM functionality. These elements will serve as the foundation for an evolving approach to software transparency, and enable an evolving approach to software transparency, capturing both the technology and the functional operation. Subsequent releases will incorporate more detail or technical advances.
The three categories of elements of the SBOM include data fields, automation support, and practices and processes. Data fields document baseline information about each component that should be tracked, while adopting sufficient identification of these components to track them across the software supply chain. Automation support, including automatic generation and machine readability, allows for scaling across the software ecosystem particularly across organizational boundaries.
The final element of the SBOM consists of practices and processes, as the SBOM is more than a structured set of data that must be integrated into the operations of the secure development life cycle that an organization should follow to focus on the mechanics of SBOM use. It also defines the operations of SBOM requests, generation and use.
An SBOM provides those who produce, purchase, and operate the software with information that enhances their understanding of the supply chain, which enables multiple benefits, most notably the potential to track known and newly emerged vulnerabilities and risks.
Though an SBOM won’t solve all software security problems, it offers the potential to track known newly emerged vulnerabilities and risks, NTIA said. “SBOM will not solve all software security problems, but will form a foundational data layer on which further security tools, practices, and assurances can be built,” according to the NTIA report.
The minimum elements for a Software Bill of Materials will enable basic use cases, such as management of vulnerabilities, software inventory, and licenses. The report also looks at recommended SBOM features and advances that go beyond the minimum elements, including key security features and tracking more detailed supply chain data.
The report builds on the work of NTIA’s SBOM multi-stakeholder process, as well as the responses to a request for comments issued in June. NTIA also looks forward to a conversation on recommended SBOM features and advances beyond the minimum elements for a Software Bill of Materials that may be seen as priorities for further work. This includes key security features such as SBOM integrity, as well as tracking more detailed supply chain data. As additional SBOM elements become feasible, tested, and built into tools, they will enable broader use cases. Some of these aspirational elements are being implemented or have already shown great potential.
The publication of the report comes in response to U.S. President Joe Biden’s Executive Order (14028) on ‘Improving the Nation’s Cybersecurity’ in May. Following the cybersecurity incident by ransomware attackers on the Colonial Pipeline, the presidential action identified, among other things, SBOM as a priority for the administration and other stakeholders to drive software assurance and supply chain risk management.
The U.S. administration said in its May order, “the trust we place in our digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is.” In the modern world, software systems involve complex, dynamic — and, too often, obscure — supply chains. “Bringing transparency to the components and connections within and across supply chains is important to discovering and addressing the weak links in those chains. SBOMs are a critical step toward securing the software supply chain. Without them, a lack of transparency into the contributors, composition, and functionality of these systems contributes substantially to cybersecurity risks and increases costs of development, procurement, and maintenance,” according to the NTIA report.
Cybersecurity expert Dale Peterson expects that a new competitor for mindshare are the supply chain / SBOM vendors, while detection still has at least a two to three-year window as the dominant solution in terms of spend, as creating SBOMs is one of the easier parts of the solution.
“Most asset owners can’t leverage the basic asset inventory the OT detection solutions create, let alone the expansion SBOM level detail would provide. It’s likely the detection solutions will try to extend their asset inventory and vulnerability management claims and import SBOMs,” Peterson wrote in a LinkedIn post.
Last month, the National Institute of Standards and Technology (NIST) issued a white paper providing a definition of critical software. The definition preliminarily includes operating systems, web browsers, hypervisors, endpoint security tools, identity and access management applications, network monitoring tools, backup, recovery, and remote storage tools, and other categories of software.