CISA Updates Guidance on Software Bill of Materials (SBOMs)
The cybersecurity and Infrastructure Security Agency (CISA) released updated guidance on Software Bill of Materials (SBOMs) on Thursday, building on efforts initiated during the Biden administration to promote SBOM adoption across the cybersecurity community and software industry.
Why SBOMs Matter:
Many organizations are vulnerable to cyberattacks due to unknown flaws in the software thay use. SBOMs – essentially ingredient lists for software – are seen as a crucial tool for identifying these vulnerabilities. Machine-readable SBOMs can be combined with threat intelligence, like government warnings, to alert users to at-risk software components.
Key Updates to the Guidance:
the revised guidance focuses on several key areas:
Data Fields: It expands the required data fields within an SBOM to include facts like software licenses,the tool used to create the SBOM,and cryptographic hashes.
Comprehensiveness: it emphasizes the need for thorough SBOMs, including identifying “known unknowns” – dependencies that are suspected but not fully documented.
Record Updates: The guidance stresses the importance of keeping SBOM records current.
Streamlined Access Controls: Information previously dedicated to SBOM access controls has been integrated into existing distribution recommendations.
Public Comment & Future Development:
The updated document is currently open for public comment until October 3rd. While primarily aimed at government agencies, it’s designed to help all organizations understand what to expect from their software vendors’ SBOMs.
These changes reflect the significant growth in the SBOM ecosystem since the National Telecommunications and Information Administration (NTIA) frist published minimum elements for SBOMs in 2021. Developments include expanded tooling for sharing and analyzing SBOMs, increased industry participation, accelerated open-source contributions, and the discovery of new applications for the technology.
CISA remains committed to promoting SBOMs as a way to improve software supply chain visibility, risk management, and security decision-making.
