The US Cybersecurity and Infrastructure Security Agency (CISA) has released a report titled “SBOM Sharing Lifecycle” to help the cybersecurity and supply chain community better understand the different phases and parties involved in the SBOM sharing lifecycle.
The report aims to assist readers in choosing suitable SBOM sharing solutions based on the amount of time, resources, expertise, effort, and access to tooling that is available. It also includes survey results highlighting the current SBOM sharing landscape.
SBOMs, or software bill of materials, are lists of components and other software used in an application.
They have been identified as critical for improving software supply chain security, particularly in the aftermath of the SolarWinds attack. The SBOM sharing lifecycle report highlights the importance of sharing SBOMs across the supply chain to enable effective cybersecurity risk management.
The report identifies the different parties involved in SBOM sharing, including software producers, software suppliers, system integrators, and software users.
It also describes the different phases of the SBOM sharing lifecycle, such as identifying SBOM sources, collecting SBOMs, verifying SBOMs, and sharing SBOMs. The report recommends that organizations identify the most appropriate phase of the SBOM sharing lifecycle to implement based on their available resources and expertise.
