CISA releases SBOM sharing lifecycle report covering different parties and phases

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) published Monday its Software Bill of Materials (SBOM) sharing lifecycle report that enumerates and describes the different parties and phases of the SBOM sharing lifecycle. It also assists readers in choosing suitable SBOM sharing solutions based on the amount of time, resources, subject-matter expertise, effort, and access to tooling that is available to the reader to implement a phase of the SBOM sharing lifecycle. It also further highlights SBOM sharing survey results obtained from interviews with stakeholders to understand the current SBOM sharing landscape.

The SBOM sharing lifecycle consists of the discovery, access, and transport of an SBOM, and this report details these individual phases and how an SBOM goes from the author to the consumer. The report also details how potential enrichment activities may be performed on an SBOM to create a new product before or after it has been shared. The concept of a sophistication classification for SBOM sharing solutions is concurrently introduced with a focus on the inclusion or lack of certain features and effort associated with their implementation. 

The document confirmed that the multi-stakeholder and community-led SBOM efforts have proven fruitful in understanding the current state of SBOM creation, distribution, and consumption. Two things have become clear from these stakeholder engagements – SBOM sharing is currently happening, and no single, ubiquitous solution is being used by all stakeholders.

While there has been substantial community discussion on SBOM generation, there have been fewer focused discussions on SBOM sharing. The goal of the report is to highlight the currently used SBOM sharing solutions and assist readers in considering appropriate sharing solutions depending on their needs concerning the discovery, access, and transport of SBOMs. The report also highlights SBOM sharing survey results obtained from interviews with stakeholders to understand the current SBOM sharing landscape. 

The categorized results of the survey suggest that SBOMs are currently transported directly to the receiver through email or similar informal communication mechanisms or the SBOM resides in a repository available to consumers. Apart from these transport methods, the report captures industry efforts to create private sharing solutions and services that can store and transport enrichment data and may use higher sophistication features that are cloud-based or use distributed ledger technologies. 

The report detailed that the interaction between relevant parties in the sharing of SBOMs will be referred to as the SBOM sharing lifecycle. The NTIA ‘Sharing and Exchanging SBOMs’ document contains a two-step approach to advertisement/discovery and access. The sharing lifecycle expands on this approach and focuses on the complete process of how SBOMs are shared from author to consumer. 

The lifecycle consists of the Discovery, Access, and Transport phases, and represents how an SBOM goes from the author to the consumer. These three phases are used to simplify the potentially complex process of the SBOM lifecycle, the CISA SBOM sharing document said. “The author will leverage a discovery method that will enable the consumer to identify the location of an SBOM. In the Access phase, the consumer fulfills any authorization requirements set in place by the provider. After authorization is granted, a transport method is provided to the consumer. If the consumer is the end user of the SBOM, the cycle will be completed after the Transport phase of the SBOM,” it added.

“An additional step may be taken if the consumer of the SBOM is a downstream author,” the document added. “The downstream author may perform an enrichment activity and add additional information to the SBOM or create a new product (i.e., incorporating the data into another SBOM to expand its internal-components information). From that point, the sharing lifecycle phases begin again with the downstream author, starting from the author role and sharing the updated information through the Discovery phase.”

The CISA SBOM document details that the initial phase of the lifecycle involves how a consumer will gain awareness of the existence of an SBOM from an author or provider. “The SBOM could be discoverable through a standardized placement within a vendor website or location within software source code. Sufficient guidance should be provided to enable the continuation into the Access and Transport phases. The Discovery phase should also clearly state if the SBOM requires the consumer to continuously contact the provider and request updates. Alternatively, continuous updates could be provided through an automated process.”

The low-sophistication features of the Discovery phase describe a solution in which the provider does not prepare any major mechanisms to assist interested parties in locating an SBOM. This places the burden of the Discovery phase on interested parties, and the consumer will likely need to manually search a vendor website that is not explicitly known to contain SBOMs. To reach medium sophistication, a provider’s SBOM location, and access procedures may have some well-known aspects. 

For a high-sophistication approach, “the burden of discovery is placed more heavily on the provider to lessen the effort exerted by the consumer. There may be a well-known and documented process that is ripe for automation and has few aspects that require manual intervention,” the document added. 

The Discovery solution examples include email, manufacturer usage description, basic web app, feature rich web app, and distributed ledger synchronization. 

After the location of an SBOM has been discovered, the next step is to obtain Access to the data. This phase of the lifecycle focuses on access controls placed on the SBOM and how a consumer will gain authorization to continue to the Transport phase, the CISA document outlines. There may be no requirements to have access controls in place and the SBOM will be available for public consumption. The provider may require that SBOMs be held in a repository that requires manual vetting to determine if access should be granted to an individual recipient. SBOMs may also require specific access control granularity ensuring consumers are allowed to view only specific versions of SBOMs associated with a product or access only specific portions of the information.

For low sophistication, the main attribute of the Access phase is the lack of authentication or access controls or the highly manual nature of access controls. For any interface directly accessible to the consumer, it is assumed that the SBOMs are made public to all once they have been discovered. 

Medium sophistication requires that authentication is in place, as well as some level of access controls. Access controls may be role-based, or channel based; however, in medium sophistication, it is assumed that full granularity of individual permissions is not present as that requires a full breakdown of each operation along with the different levels of permissions in that context.

In high sophistication, a consumer may request Access to view an SBOM and a limited account may be created automatically. Access to SBOMs may be automatically provided if a consumer can provide evidence that they have purchased a device or software relevant to the SBOM in question.

The Access phase examples include email, basic web app, and feature rich web app. Once the necessary permissions and access have been obtained by a consumer, the consumer will be able to read, download, or otherwise obtain the SBOM data itself. This is described by the following Transport phase of the SBOM sharing lifecycle.

The Transport Lifecycle phase denotes how a consumer receives the SBOM. Methods of transport may enable SBOMs to be transferred from a single point to a single point, or a single point to multiple points. Different methods facilitate this process more effectively than others. If the SBOM transport only involves the movement of a single SBOM, then an email or copy placed on a hard drive and sent from the author to the consumer may be sufficient.

The CISA SBOM sharing document identifies that a low-sophistication transport process could involve the provider manually sending an SBOM to anyone who requests it. However, low sophistication does not also mandate transport over the Internet. For medium sophistication, the Transport phase can be done using well-known methods like download through HTTP(S); however, documentation that supports this transport may still be minimal, and interfaces may be inconsistent or limiting, increasing the cost and expertise of automating the transport process to a high degree.

For high sophistication, the Transport phase process should be well documented using standard protocols. An application programming interface (API) should be present, consistent, and repeatable. An OpenAPI interface that provides documentation for a Representational State Transfer (REST) or RESTful API would be sufficient to be categorized at a high-sophistication level.

For the Transport phase, several examples are provided for how the sophistication level could be evaluated. These cover email, basic web app, and feature rich web app. 

The CISA SBOM sharing document also addresses enrichment, which describes how an SBOM may be used to create a new product, before or after it has been shared with an additional party. For example, the SBOM may be reviewed and updated, creating a new SBOM that could be moved through another instance of the SBOM sharing lifecycle. 

Outputs of this process may not be SBOMs at all. For example, if a third party receives an SBOM and analyzes it to determine what common vulnerabilities and exposures apply to the described software, then this too would be an output of this process, the document said. “Additional documents, such as Vulnerability Exploitability eXchange (VEX), which may refer to a product that is described by an SBOM, are also defined as enrichment activities. Enrichment data may be moved using the same methods of transport for SBOM data,” it added.

With enrichment being in an early developmental stage, private companies have developed tools to assist with this process. Repositories with enrichment data attached to SBOMs have been created. Many of these services are using cloud-based or distributed ledger technologies. Further work will be needed to evaluate enrichment in the context of sophistication. 

Last week, CISA, the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the cybersecurity authorities of Australia, Canada, the U.K., Germany, Netherlands, and New Zealand (CERT NZ, NCSC-NZ) published joint guidance urging software manufacturers to take urgent steps necessary to ship products that are secure-by-design and secure-by-default. The move shifts the balance of cybersecurity risk by using principles and approaches for security-by-design and secure-by-default.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.