CISA releases HBOM framework for supply chain risk management to help purchasers assess, mitigate risks

The  U.S. Cybersecurity and Infrastructure Security Agency (CISA) published Monday its Hardware Bill of Materials (HBOM) framework for Supply Chain Risk Management. This document introduces an HBOM framework that creates a consistent, replicable avenue for vendors to engage with purchasers about hardware components in their current or prospective product acquisitions. This framework equips purchasers with the means to thoroughly evaluate and mitigate risks within their supply chains.

Released by the Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) Task Force, the HBOM framework includes a consistent naming methodology for attributes of components, a format for identifying and providing information about the different types of components, and guidance of what HBOM information is appropriate depending on the purpose for which the HBOM will be used.

The framework consists of several key components, including use case categories (Appendix A), format of HBOMs (Appendix B); and data field taxonomy (Appendix C). The framework’s objective is to set forth a reliable and predictable structure for HBOMs and a set of clearly defined data fields of HBOM components and their attributes, promoting efficiencies across the ICT sectors for various use cases. 

The SBOM framework product was developed by the ICT SCRM Task Force’s HBOM Working Group, which includes subject matter experts from a diverse set of private and public sector organizations. 

The Task Force serves as the primary mechanism for industry and government collaboration on strategies and policies to address ICT supply chain risks confronted by critical infrastructure owners and operators, civilian federal executive branch departments and agencies, and state, local, tribal, and territorial (SLTT) governments. It also provides advice and recommendations to the federal government, and to private sector owners and operators of critical infrastructure on means for assessing and managing risks associated with the ICT supply chain.

Requesting HBOMs is one of the many activities that purchasers can leverage to evaluate their supply chains in order to mitigate risk. Currently available HBOM formats need supplemental assistance to be portable between suppliers and purchasers and as such, this HBOM framework aims to advance such interoperability. The principal HBOM ‘use cases’ detailed in the report were identified by the ICT industry representative and government stakeholders as relevant for supply chain risk management purposes. 

These principal HBOM ‘use cases’ can be categorized into three high-level categories, including ‘Compliance’ covering situations which assess the product’s compliance with rules and requirements. These scenarios will help an entity with organizing the information it may need to assess the adherence to internal, industry, customer, and government requirements. It also includes ‘Security’ covering scenarios that evaluate the product’s security risk based on the exposure to known vulnerabilities and/or high susceptibility to untrusted entities/geolocations. Lastly, it includes ‘Availability’ using conditions that assess product impacts from world events and supply chain diversification (or lack thereof). 

CISA identified that the product provides definitional and formatting consistency that is helpful regardless of the specific HBOM information to be shared. It also provides guidance on what HBOM components may be appropriate to include in HBOMs that are provided to meet different use cases/goals that purchasers may have (e.g., evaluating security, promoting resiliency/availability, or complying with laws or regulations). 

The HBOM Framework is designed for voluntary adoption by both purchasers and vendors to streamline the exchange of information. Its primary objective is to establish a standardized and replicable approach that allows vendors to convey information about the hardware components within their products, whether currently owned or under consideration for purchase. By doing so, it empowers purchasers to assess and proactively address supply chain risks more comprehensively.

“The HBOM Framework offers a consistent and repeatable way for vendors and purchasers to communicate about hardware components, enabling effective risk assessment and mitigation in the supply chain,” Mona Harrington, CISA National Risk Management Center assistant director and ICT SCRM task force co-chair, said in a media statement. “With standardized naming, comprehensive information, and clear guidance, organizations can safeguard against economic and security risks, enhancing overall resilience.” 

Harrington added that by enhancing transparency and traceability through HBOM, “stakeholders can identify and address potential risks within the supply chain, ensuring that the digital landscape remains robust and secure against emerging threats and challenges.”

“This methodology gives organizations a useful tool to evaluate supply chain risks with a consistent and predictable structure for a variety of use cases” according to John Miller, senior vice president of policy and general counsel at Information Technology Industry Council (ITI) and ICT SCRM Task Force Co-Chair.   

Appendix A of the HBOM framework provides a range of potential use cases that purchasers may have for HBOMs based on the nature of the risk the purchaser seeks to evaluate. Because different use cases address different types of risk, each use case maps a different subset of data fields described above and in Appendix A. 

In Appendix B, the framework sets forth a format that can be used to ensure consistency across HBOMs and to increase the ease with which vendors and purchasers produce and use HBOMs. It includes a method for describing “nesting” of components where a vendor purchases an assembly from a third party, and that assembly requires further HBOM information to properly identify supply chain issues that are farther up in the supply chain. 

Moving to Appendix C, it provides a taxonomy of component/input attributes that, depending on the use for which the purchaser intends to use an HBOM, may be appropriate to include in an HBOM. The taxonomy seeks to create consistency across HBOMs by defining a data field associated with each attribute. 

When purchasing hardware, it is crucial for a company to consider the utilization of an HBOM in order to make informed decisions regarding safe and secure hardware. The HBOM framework for Supply Chain Risk Management supports purchasers in the evaluation and mitigation of risks in their supply chain. Several additional benefits the framework addresses include providing a useful tool to help industry and government evaluate and address supply chain risks; helping organizations illuminate supply chains and support the efficient evaluation and mitigation of certain risks; and providing portability between suppliers and purchasers. 

Purchasers may also need to undertake additional activities to evaluate their supply chain risks, such as sending vendors questionnaires about their cybersecurity practices, and requesting Software Bill of Materials (SBOM) information. 

The CISA document identifies that future guidance would provide recommended identification techniques and resources to address these complex part and entity resolution challenges. These challenges need to be overcome to accurately assess the HBOM and to pair the product with its appropriate SBOM for a complete evaluation. 

The HBOM framework specified investigating what the techniques are for conveying and verifying the provenance, pedigree,and integrity of HBOMs. Similar discussions have occurred in the SBOM community activities,but the topic would have different aspects when addressing HBOMs.

It also covered a discussion about the roles involved in producing, gathering, publishing, sharing, and protecting HBOMs. The SBOM community has discussed and debated the different aspects of these topics for SBOMs, but there are probably slightly different concerns and needs that should be recognized when considering these for HBOMs.

It also looked at exploring the concept of operations for HBOMs. There are many open questions about how they would be used in operations. For example, HBOMs can function as an internal capability within a supply chain, enhancing the efficiency of the parties involved in their business operations. 

Additionally, they may serve as a public component of a supply chain, potentially encompassing both roles. HBOMs can be designed for both human and automated usage, depending on specific scenarios. Regarding customer rights for obtaining HBOMs, and the associated contract clauses required for their access in cases where they are not provided freely, these are important considerations that need clarification.

It also delved into the concept of operations for HBOMs, which involves various aspects that require clarification. For instance, HBOMs can serve as an internal capability within a supply chain, enhancing the effectiveness of the parties involved in conducting their business. They can also potentially function as a public element of a supply chain, possibly encompassing both scenarios. 

Additionally, it is essential to determine whether HBOMs are designed for human use, automation, or a combination of both, under what specific circumstances. Addressing the rights of customers regarding HBOM access and the necessary contract clauses for obtaining HBOMs, especially when they are not provided freely, is another vital consideration.

The HBOM framework laid down that future work may be helpful to provide additional translation to alternative BOM formats. “While some equivalent fields have been defined for CycloneDX and SPDX, at the current status, not all fields have a direct 1:1 mapping. In addition, not all BOM formats have been evaluated and mapped here. For example, Appendix C does not address mapping to the Catalog Data Standard being developed by the Department of Defense,” it added. 

Future guidance is recommended to further flesh this out so that HBOMs will be more interoperable and automated with minimum required conversion tooling and user-defined fields, the CISA document said. “Partnership with the CycloneDX, SPDX, and CDS knowledge base would be helpful to achieve these next steps.”

Last week, CISA published a Security Planning Workbook that supports critical infrastructure asset owners and operators in their security planning endeavors. This resource is accessible to all members of an organization, irrespective of their level of security proficiency, and is intended for those entrusted with ensuring the safety and security of both facilities and personnel.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.