US Government Issues Guidance on SBOM Consumption

US Government Issues Guidance on SBOM Consumption

November 10, 2023 at 07:00AM

The US cybersecurity agency CISA, the NSA, and the ODNI have issued new guidance to help software vendors secure the software supply chain. The guidance focuses on assessing security measures throughout the software lifecycle, managing open source software and software bills of materials, and making recommendations for different phases of the supply chain. The agencies emphasize the importance of proactively managing and mitigating risks and provide guidance on implementing software bills of materials and taking necessary actions to ensure software security.

In the recent meeting, the US cybersecurity agency CISA, the NSA, and the Office of the Director of National Intelligence (ODNI) released new guidance for software vendors and suppliers on securing the software supply chain. This guidance aims to help organizations assess their security measures throughout the software lifecycle, including managing open-source software (OSS) and software bills of materials (SBOM). It provides recommendations that can be applied across different phases of the software supply chain to increase resilience in development, production, distribution, and management processes. All organizations involved in the software supply chain are encouraged to proactively manage and mitigate risks as part of secure software development practices. The guidance specifically focuses on implementing SBOM processing, assessing the risk of identified vulnerabilities, avoiding the exploitation of vulnerabilities, requesting updated SBOMs, and other actions related to efficient SBOM consumption. SBOMs are seen as a critical component in software security and software supply chain risk management. They provide information about the contents of software, such as whether it is up-to-date, usage of open-source software, compliance, and reducing exposure once a vulnerability is identified. Customers often need to consume thousands of SBOMs to understand their risk exposure, and automated SBOM processing, analysis, and correlation are necessary for fully leveraging the potential of SBOMs. The guidance emphasizes that SBOMs should be treated as collections of data that can be parsed, extracted, and loaded into automated processes, rather than just files.

Full Article