On October 15, 2024, the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) published software bill of materials (“SBOM”) guidance through the third edition of Framing Software Component Transparency: Establishing a Common Software Bill of Materials (SBOM) (dated September 3, 2024) (the “Guidance”). The Guidance provides “a minimum expectation for creating a baseline SBOM.” As CISA has noted, “[an SBOM] has emerged as a key building block in software security and software supply chain risk management.” SBOMs are defined by CISA as “a formal record containing the details and supply chain relationships of various components used in building software.”
In light of the Government’s increasing interest in the use of SBOMs, both as evidenced through the reference to a requirement for SBOMs in the proposed Federal Acquisition Regulation (“FAR”) Cyber Threat and Incident Reporting and Information Sharing Rule (discussed here) and in the Office of Management and Budget’s Secure Software Development Framework (discussed here), the Guidance could help inform future SBOM minimum requirements for government contractors as well as the broader software supplier community.
Developing practices to ensure the security of the software supply chain has been a focus of the Executive Branch for a number of years. In 2019, the National Telecommunications and Information Administration (“NTIA”) published the first edition of Framing Software Component Transparency: Establishing a Common Software Bill of Materials (SBOM). NTIA built upon this guidance in 2021 when it released the second edition of Framing Software Component Transparency: Establishing a Common Software Bill of Materials (SBOM). Earlier that same year, the Biden Administration published an Executive Order on Improving the Nation’s Cybersecurity, which tasked the Secretary of Commerce to provide guidance regarding practices that strengthen software supply chain security which included “publish[ing] minimum elements for an SBOM.” Subsequently, in July 2021, NTIA published The Minimum Elements For a Software Bill of Materials (the “Minimum Elements”).
Three years later, CISA published the third edition of Framing Software Component Transparency. Although CISA noted there is a distinction between the Guidance and the Minimum Elements, CISA also stated that it retains “the authority to update the [Minimum Elements].” One of the key additions to the third edition is the inclusion of maturity levels for various Attributes—the Guidance identifies practices as minimum expectations, recommended practices, or aspirational goals (for the purposes of brevity, this overview focuses on the minimum expectations). The Guidance further introduces the license and copyright holder Baseline Attributes, among other changes.