The Cybersecurity and Infrastructure Security Agency (CISA) has updated its recommendations for the minimum features of a software bill of materials (SBOM), the latest step in the agency’s campaign to encourage transparency in the software market.
“The updates and additions included in this document will better position Federal Government agencies and other SBOM consumers to address a range of use cases, understand the generation process, and improve data quality,” CISA said in the new publication, which it released on Thursday.
Many organizations are vulnerable to cyberattacks because they use software with flaws that they aren’t aware of, due to the complexity of the code. Some cyber experts see SBOMs as an important tool for illuminating the contents of software and helping users address vulnerabilities. Machine-readable SBOMs can be combined with other sources of data, including government threat warnings, to produce guidance such as alerts about vulnerable software components.
CISA’s continued focus on SBOMs represents an area of continuity from the Biden administration, which inaugurated the agency’s SBOM advocacy throughout the cybersecurity community and the software industry.
New SBOM recs
Major updates to the CISA guidance address SBOM data fields, the expected comprehensiveness of the SBOM, the need to identify any known unknown dependencies and the importance of updating outdated records. New materials in the document include several SBOM data fields, such as the license accompanying the software, the name of the tool used to create the SBOM and the software’s cryptographic hash. The revised version also eliminates a section dedicated to SBOM access controls and incorporates it into existing distribution recommendations.
The publication, which is open for public comment through Oct. 3, is aimed primarily at government agencies but is also designed to help other organizations understand what to expect from their vendors’ SBOMs.
The changes in the document reflect the growth in the SBOM ecosystem since the National Telecommunications and Information Administration first published SBOM minimum elements in 2021. In its public-comment notice, CISA listed several of the major developments: SBOM tooling has expanded beyond creation to cover sharing and analysis, more industries have joined conversations about SBOM design and use, open-source developers have accelerated the movement and experts have identified new uses for the tool.
CISA said it would “continue to promote SBOMs as a way to provide relevant and available data to software users to illuminate their software supply chains, better inform their risk management processes and drive their software security decisions.
