In an effort to improve supply chain security, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued step-by-step guidance for software producers to create software bills of materials (SBOM). This guidance aims to enhance transparency and provide a critical inventory list to support effective risk mitigation strategies across software supply chains.
The guidance, which was published by the cyber defense agency, outlines the technical requirements for building SBOMs. It also recommends that software manufacturers include additional measures for added transparency, such as providing available identifiers for product components when appropriate and including the hash for any artifact associated with various software components.
This move by CISA follows a White House executive order from 2021, which requires agencies to implement SBOMs when developing or procuring software. SBOMs are often compared to ingredient lists for food products, as they provide information about a software product’s components, dependencies, and third-party libraries.
CISA has been actively working to implement SBOMs as a key component of software security and supply chain risk management across the federal government for years. However, many agencies have struggled to build and benefit from the inventory lists in federal information technology contracts with software manufacturers.
To raise awareness and understanding of the importance of SBOMs, CISA launched an SBOM-a-rama event in 2023, designed to help the software and security communities gain further insights into community-led work on SBOMs. Additionally, the agency published a report detailing the different phases of the SBOM-sharing life cycle to assist the public and private sectors in choosing solutions that provide further transparency and information sharing between software manufacturers and consumers.
The step-by-step guidance issued by CISA outlines five key steps that software producers should follow when creating an SBOM for a product line. These steps include determining an identifier to use, choosing a versioning system, listing all product components distributed together as a group, providing a version number for each component, and referencing the build SBOM that generated each component image included in the product group as part of the PLB-SBOM.
Overall, the issuance of this detailed SBOM guidance by CISA marks a significant step forward in the government’s commitment to enhancing software supply chain security. By providing clear instructions and technical requirements, CISA aims to empower software producers to create comprehensive SBOMs, ultimately increasing transparency and strengthening the security of software products throughout their lifecycle.