There has been some progress in the establishment of software bill of materials (SBOM) standards in the year since the Cybersecurity and Infrastructure Security Agency (CISA) began its exploratory sessions on the topic. However, discussions during the recent hybrid event called SBOM-a-rama, hosted by CISA, revealed that there is still a long way to go before effective guidance for IT organizations is established.
The event provided an update on the progress of CISA’s working groups on government requirements for SBOMs under Executive Order 14028, which was issued by the Biden administration in May 2021. SBOMs are machine-readable lists of applications’ components and dependencies that can help IT organizations identify security vulnerabilities.
During the event, attendees questioned whether CISA’s efforts so far will be enough to counteract the fast-moving threat of software supply chain attacks. Some expressed concerns that the pace of progress is not keeping up with the momentum of hackers.
Representatives from the finance and healthcare industries reported progress in the production and use of SBOMs over the past year. In the finance industry, there is a growing awareness of the importance of software supply chain security, with more institutions focusing on this area. In healthcare, efforts to improve software supply chain security have been spurred by a regulation in the Consolidated Appropriations Act, 2023, which granted the FDA authority to regulate “cyber devices” used in the medical field.
However, challenges remain. Negotiating the sharing of SBOM information has been a point of contention, with some software providers hesitant to hand over this information. Efforts to establish consistent asset naming and data quality conventions for SBOM data have also faced difficulties.
In addition, there is a need for guidance on contract language related to SBOM data. As vulnerabilities are discovered, business stakeholders will need to address the challenges of upgrading various parties involved in the supply chain.
The SBOM-a-rama event also highlighted the need for standards for software-as-a-service (SaaS) and cloud-native systems, which are currently exempt from the executive order requirements. While progress has been made in defining SBOM data fields for online applications, more work is needed to address advanced issues related to cloud-native SBOMs.
Private sector vendors have already developed tools for SBOM integration and analysis, including for cloud-native workloads. These vendors are urging CISA to make quicker progress toward cloud-native SBOM standards to ensure the security and reliability of the software supply chain.
Overall, while there has been progress in the establishment of SBOM standards, there is still much work to be done. The pace of progress must increase to match the fast-moving threat of software supply chain attacks. Collaboration between industry stakeholders and government agencies like CISA will be crucial in addressing the challenges and establishing effective guidance for IT organizations.