Section 10(j) of EO 14028 defines an SBOM as a “formal record containing the details and supply chain relationships of various components used in building software,[1]” similar to food ingredient labels on packaging. SBOMs hold the potential to provide increased transparency, provenance, and speed at which vulnerabilities[2] can be identified and remediated by federal departments and agencies. SBOMs can also be indicative of a developer or suppliers’ application of secure software development practices across the SDLC. Figure F-1 illustrates an example of how an SBOM may be assembled across the SDLC.
Federal agencies should ensure that their suppliers of software products and services are able to produce SBOMs in conformance with the EO and NTIA’s The Minimum Elements For a Software Bill of Materials (SBOM) by containing:
NTIA’s guidance acknowledges that SBOM capabilities are currently nascent for federal acquirers and that the minimum elements are but “a key, initial step in the SBOM process that will advance and mature over time”. As SBOMs mature, agencies should ensure they do not deprioritize existing C-SCRM capabilities (e.g., vulnerability management practices, vendor risk assessments) under the mistaken assumption that SBOM replaces these activities. SBOMs and the improved transparency that they are meant to provide for federal acquirers are a complementary, not substitutive, capability. Federal acquirers that are unable to appropriately ingest, analyze, and act on the data that SBOMs provide will likely not improve their overall C-SCRM posture.
Federal acquirers should further consider that effectively implemented SBOMs are still subject to operational constraints. For example, SBOMs that are retroactively generated may not be able to produce the same list of dependencies used at build-time. Though this constraint may diminish over time, federal acquirers should continue using the risk-based approaches outlined in SP 800-161 Rev. 1 and SP 800-218 to guide their implementation of SBOMs over this rapid period of transition.
In his context, federal agencies should consider, where possible and applicable, the following recommended SBOM capabilities:
[1] Executive Office of the President. (2021). Executive Order 14028 on Improving the Nation's Cybersecurity. https://www.federalregister.gov/documents/2021/05/17/2021-10460/improving-the-nations-cybersecurity
[2] References to vulnerabilities are inclusive of Common Weakness Enumerations (CWE) found pre-release and Common Vulnerabilities and Exposures (CVE) found post-release, as outlined in NISTIR 8011 Vol. 4, Automation Support for Security Control Assessments: Software Vulnerability Management.
[3] GitLab. (2021). NIST Position Paper #2.
[5] Synopsys. (2021). Guidelines for software integrity chains and provenance.
[6] National Telecommunications and Information Administration. (2021). The Minimum Elements For a Software Bill of Materials (SBOM). https://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_report.pdf
Content: