Connect with us

Hi, what are you looking for?



CISA Unveils New HBOM Framework to Track Hardware Components

CISA unveils a new Hardware Bill of Materials (HBOM) framework for buyers and sellers to communicate about components in physical products.

CISA staff government shutdown

The US government’s cybersecurity agency CISA has unveiled a new Hardware Bill of Materials (HBOM) framework offering a consistent, repeatable way for vendors to communicate with purchasers about hardware components in physical products.

The new framework provides what CISA describes as “a reliable and predictable structure for HBOMs” and a set of clearly defined data fields of HBOM components and their attributes.

“With standardized naming, comprehensive information, and clear guidance, organizations can safeguard against economic and security risks, enhancing overall resilience,” said CISA assistant director Mona Harrington. 

Harrington said the HBOM framework [.pdf] includes a consistent naming methodology for attributes of components, a format for identifying and providing information about the different types of components, and guidance of what HBOM information is appropriate depending on the purpose for which the HBOM will be used. 

The HBOM framework, created by the Information and Communications Technology (ICT) Supply Chain Risk Management Task Force, is meant to be flexible and allow purchasers and vendors to tailor it to their specific circumstances or use cases.

The agency said it is meant to capture the components’ HBOM information to be included at the time of the sale or exchange of goods and noted that stakeholders may need to update the HBOM during the lifecycle of a project. 

CISA said the framework sets forth a format that can be used to ensure consistency across HBOMs and to increase the ease with which vendors and purchasers produce and use HBOMs. 

It also includes a method for describing “nesting” of components where a vendor purchases an assembly from a third party, and that assembly requires further HBOM information to properly identify supply chain issues that are farther up in the supply chain.  

Advertisement. Scroll to continue reading.

The framework also provides a taxonomy of component/input attributes that, depending on the use for which the purchaser intends to use an HBOM, may be appropriate to include in an HBOM. 

Supply chain security, particularly in the realm of software, has attracted major government attention, leading to mandates around the creation and delivery of SBOMs (software bill of materials) to help mitigate supply chain attacks.

The SBOM mandate was included in a cybersecurity executive order issued May 2021 that sent security leaders scrambling to understand the ramifications and prepare for downstream side-effects.  

Related: Security Leaders Scramble to Decipher SBOM Mandate

Related: Microsoft Ships Open Source Tool for Generating SBOMs

Related: One Year Later: Log4Shell Remediation Slow and Painful

Related: SecurityWeek Video: A Civil Discourse on SBOMs 

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...


Private equity giant plans to buy Forcepoint’s Global Governments and Critical Infrastructure (G2CI) business unit for $2.5 billion.

Security Infrastructure

Security vendor consolidation is picking up steam with good reason. Everyone wants to improve security efficiency and effectiveness while paying for less.


US National Cybersecurity Strategy pushes regulation, aggressive 'hack-back' operations.