The US Cybersecurity and Infrastructure Security Agency (CISA) has issued new guidelines for software producers, emphasizing the importance of creating Software Bills of Materials (SBOMs) to enhance supply chain security.
The guidance, published on Friday, outlines step-by-step instructions for building SBOMs, which are comprehensive lists detailing the components of a software product. These include technical specifications for creating SBOMs and additional measures for transparency, such as providing identifiers for product components and including hashes for software artifacts. SBOMs, likened to ingredient lists for food products, are essential for understanding the makeup of software products, including their components, dependencies, and third-party libraries.
This initiative aligns with a 2021 White House executive order requiring federal agencies to use SBOMs in software development and procurement. CISA’s focus on SBOMs aims to improve software security and supply chain risk management, a crucial aspect given the challenges faced by many agencies in integrating these lists into IT contracts with software manufacturers. In its efforts to promote the adoption and understanding of SBOMs, CISA has been proactive.
In 2023, the agency organized an “SBOM-a-rama” event, which was intended to educate the software and security communities about the importance of SBOMs and to share insights on community-led work in this area. Additionally, in April, CISA released a report detailing the different phases of the SBOM-sharing life cycle.
This report is a resource for both public and private sectors, offering guidance on selecting solutions that enhance transparency and information sharing between software manufacturers and consumers. In the latest guidance, CISA lays out a five-step process for creating an SBOM for a product line.
These steps include determining an identifier and versioning system, listing all components distributed together, providing a version number for each component, and referencing the build SBOM for each component image in the product group. This structured approach is aimed at standardizing the process and ensuring that SBOMs are comprehensive and useful for risk mitigation in software supply chains.