The US government’s cybersecurity agency CISA has unveiled a new Hardware Bill of Materials (HBOM) framework offering a consistent, repeatable way for vendors to communicate with purchasers about hardware components in physical products.
The new framework provides what CISA describes as “a reliable and predictable structure for HBOMs” and a set of clearly defined data fields of HBOM components and their attributes.
“With standardized naming, comprehensive information, and clear guidance, organizations can safeguard against economic and security risks, enhancing overall resilience,” said CISA assistant director Mona Harrington.
Harrington said the HBOM framework [.pdf] includes a consistent naming methodology for attributes of components, a format for identifying and providing information about the different types of components, and guidance of what HBOM information is appropriate depending on the purpose for which the HBOM will be used.
The HBOM framework, created by the Information and Communications Technology (ICT) Supply Chain Risk Management Task Force, is meant to be flexible and allow purchasers and vendors to tailor it to their specific circumstances or use cases.
The agency said it is meant to capture the components’ HBOM information to be included at the time of the sale or exchange of goods and noted that stakeholders may need to update the HBOM during the lifecycle of a project.
CISA said the framework sets forth a format that can be used to ensure consistency across HBOMs and to increase the ease with which vendors and purchasers produce and use HBOMs.
It also includes a method for describing “nesting” of components where a vendor purchases an assembly from a third party, and that assembly requires further HBOM information to properly identify supply chain issues that are farther up in the supply chain.
The framework also provides a taxonomy of component/input attributes that, depending on the use for which the purchaser intends to use an HBOM, may be appropriate to include in an HBOM.
Supply chain security, particularly in the realm of software, has attracted major government attention, leading to mandates around the creation and delivery of SBOMs (software bill of materials) to help mitigate supply chain attacks.
The SBOM mandate was included in a cybersecurity executive order issued May 2021 that sent security leaders scrambling to understand the ramifications and prepare for downstream side-effects.
Related: Security Leaders Scramble to Decipher SBOM Mandate
Related: Microsoft Ships Open Source Tool for Generating SBOMs
Related: One Year Later: Log4Shell Remediation Slow and Painful
