Connect with us

Hi, what are you looking for?


Supply Chain Security

US Government Issues Guidance on SBOM Consumption

CISA, NSA, and ODNI issue new guidance on managing open source software and SBOMs to maintain awareness on software security.

The US cybersecurity agency CISA, the NSA, and the Office of the Director of National Intelligence (ODNI) on Thursday released new guidance for software vendors and suppliers on securing the software supply chain. 

The document (PDF) can help organizations assess their security measures throughout the software lifecycle, including managing open source software (OSS) and software bills of materials (SBOM), and provides recommendations that can be applied across different phases of the software supply chain.

The new counseling comes roughly one year after CISA, NSA, and ODNI released a three-part joint guidance on how software developers, suppliers, and customers can secure the supply chain and aims to increase the resilience of development, production, distribution, and management processes.

“All organizations are encouraged to proactively manage and mitigate risks as a part of evolving secure software development practices. An organization’s role as a developer, supplier or customer of software in the software supply chain lifecycle will continue to determine the shape and scope of this responsibility,” the three agencies note.

The document provides guidance on implementing SBOM processing, assessing the risk of identified vulnerabilities, taking specific steps to avoid the exploitation of a vulnerability, requesting new SBOMs for updated software, and other actions organizations should take when it comes to efficient SBOM consumption.

According to the new guidance, SBOMs represent a central component in software security and software supply chain risk management, and may be correlated with other data to increase their value and scope and to create risk scores that enable timely action.

“An SBOM conveys information about what is in the software. The mere act of knowing that a supplier can provide a quality SBOM offers benefits to the software user, since it offers a certain level of confidence that the software supplier is more likely to be able to respond to supply chain concerns,” the document reads.

SBOMs, the three agencies note, have become critically important as they show if the software is up-to-date, provide information on the use of open source software, help ensure compliance, and can help reduce the exposure window, once a vulnerability has been identified.

Advertisement. Scroll to continue reading.

Customers need to consume thousands of SBOMs to understand their risk exposure, and fully leveraging the potential of SBOMs requires automated SBOM processing, analysis, and correlation, as well as turning SBOM data into security intelligence, CISA, NSA, and ODNI note.

“Data from SBOMs feeds into many enterprise workflows, including procurement, asset management, vulnerability management, and overarching supply chain risk management and compliance functions. Therefore, the SBOM is often less useful as a file than as a collection of data that can be parsed, extracted, and loaded into automated processes,” the guidance reads.

Related: US Government Releases Security Guidance for Open Source Software in OT, ICS

Related: CISA Introduces Secure-by-design and Secure-by-default Development Principles

Related: SecurityWeek Cyber Insights 2023 | Supply Chain Security

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

Supply Chain Security

SBOMs can be used for managing risk and determining vulnerability impact, but it’s very hard to build holistic risk models when the data is...

Application Security

Enterprise communication and collaboration platform Slack has informed customers that hackers have stolen some of its private source code repositories, but claims impact is...


HashiCorp acquires BluBracket secrets-scanning technology to help businesses block accidental leaks and fight secret sprawl.

Supply Chain Security

Oracle's Critical Patch Update for January 2023 includes 327 patches, with more than 70 that address critical-severity vulnerabilities.

Endpoint Security

A backdoor feature found in hundreds of Gigabyte motherboard models can pose a significant supply chain risk to organizations.