The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and 19 international partners released a joint guide on Sept. 3 that aims to inform the global cyber community on the value of implementing a software bill of materials (SBOM).
Just as a chef would follow a recipe for a meal, software developers and vendors often refer to an SBOM when building software. The guide explains that SBOMs act as a software “ingredients list,” providing organizations with much-needed visibility into software dependencies.
“The ever-evolving cyber threats facing government and industry underscore the critical importance of securing software supply chain and its components. Widespread adoption of SBOM is an indispensable milestone in advancing secure-by-design software, fortifying resilience, and measurably reducing risk and cost,” said Madhu Gottumukkala, acting director of CISA, in a press release.
“This guide exemplifies and underscores the power of international collaboration to deliver tangible outcomes that strengthen security and build trust,” Gottumukkala said. “Together, we are driving efforts to advance software supply chain security and drive unparalleled transparency, fundamentally improving decision-making in software creation and utilization.”
The guide underscores the critical role of SBOMs in identifying risks within software components and advocates for their integration into security practices. It highlights the need for consistent SBOM implementation across countries and industries to help promote interoperability, simplify processes, and support scalable adoption.
It also notes that SBOMs offer a way for software manufacturers and producers to adopt CISA’s Secure by Design principles. Specifically, SBOMs allow them to support the Secure by Design principle of embracing radical transparency and accountability in their supply chains.
“By building and maintaining SBOMs for each product, requesting data from suppliers, and making SBOMs available for downstream customers and users, software manufacturers and producers demonstrate their due diligence in the products they create and their ability to respond to risk,” the guide says. “SBOMs also enable software consumers to better respond to risks when new vulnerabilities emerge,” it says.
CISA, NSA, and the 19 international partners are encouraging software producers, purchasers, and operators to review the guide and integrate SBOM generation, analysis, and sharing into their security practices.
The new guide comes after CISA released updated SBOM guidance last month. CISA said it wants feedback by Oct. 3 on its new 17-page draft, which builds on the 2021 SBOM Minimum Elements published by the National Telecommunications and Information Administration.