Government agencies in the US and 14 allied countries have released new guidance on the advantages of widespread adoption of Software Bills of Materials (SBOMs).
The shared vision of SBOM guidance (PDF) provides information on the advantages of implementing SBOM generation, analysis, and sharing into security processes and practices, arguing that SBOM adoption improves security and reduces risks and costs.
By providing details on the provenance and security of software and its components, modules, and libraries, SBOMs help organizations understand and address security risks in the software supply chain, the authoring agencies say.
“The first step to addressing these risks is to increase transparency. This is especially important for software in critical infrastructure and systems that carry out essential functions that affect public safety,” the guidance reads.
Designed as formal records of the details and relationships of various components within software, SBOMs are considered key components in securing the software supply chain due to the visibility they provide into each component.
“SBOMs enable greater visibility across an organization’s software supply chain and enterprise system by documenting information about software dependencies. Organizations can leverage this transparency to increase the efficacy of risk management practices, particularly vulnerability management and supply chain management, improve software development processes, and support an organization’s license management,” the agencies say.
SBOMs, they note, should be machine-processable in a widely used format, and should be shared downstream to help organizations respond to new risks, such as vulnerabilities or license concerns, faster and more efficiently.
“When all participants along the supply chain have an SBOM for a piece of software, the time to identify and respond to vulnerabilities can be reduced significantly. Without an SBOM, each actor is dependent on upstream suppliers for notification that the vulnerability impacts their software,” the guidance reads.
The adoption of SBOMs throughout the software development process, the agencies say, lowers component management costs, downtime during vulnerability response, and the time needed to identify issues in discontinued components.
Post-deployment SBOM monitoring helps identify components that have become vulnerable over time, for fast patching, and identify licensing information to use the software components as allowed by the license.
“Producers, choosers, and operators of software across the software ecosystem benefit from the increased transparency from SBOM data. Organizations may simultaneously take on the role of software producer and chooser, chooser and operator, or any combination of those roles,” the guidance reads.
Producing and maintaining SBOMs for each product helps software manufacturers and producers adopt the secure-by-design principle, the authoring agencies say. Automation is considered a core component of the SBOM generation, management, and consumption.
“Better software transparency will directly improve the quality of decisions made in the creation and use of software. The authoring organizations understand the value of SBOM in securing the software supply chain and recognize the need for greater transparency in software development,” the agencies note.
Related: CISA Requests Public Feedback on Updated SBOM Guidance
Related: New UK Framework Pressures Vendors on SBOMs, Patching and Default MFA
Related: China’s Salt Typhoon Hacked Critical Infrastructure Globally for Years
Related: US Government Taking Creative Steps to Counter Cyberthreats
