How To Align Your SBOM with the US Government Executive Order
One of the requirements of Executive Order 14028, issued in May 2021 and designed to improve the nation’s cybersecurity, is that software producers who supply the federal government provide a software bill of materials (SBOM) for each product.
An SBOM is a formal record containing the details and supply chain relationships of various components used in building software products. Developers often create products by assembling existing open source and commercial software components, and the SBOM enumerates these components in a product.
SBOMs enable developers and users of a piece of software to make sure that components are up to date, and to respond quickly to new vulnerabilities that might emerge.
How can organizations be sure to align their SBOMs with the executive order? Here are some best practices.
Adhere to the Executive Order’s Minimum Elements for an SBOM
The Executive Order directed the U.S. Department of Commerce and National Telecommunications and Information Administration (NTIA) to publish the “minimum elements” for an SBOM, and in 2021 Commerce disclosed these elements.
The minimum elements are the essential pieces that support basic SBOM functionality, and will serve as the foundation for an evolving approach to software transparency, according to a report by the Commerce Department. These minimum elements comprise three broad, interrelated areas: data fields, automation support and practices and processes.
Data fields include document baseline information about each component that should be tracked, such as supplier, component name, version of the component, other unique identifiers, dependency relationship, author of SBOM data, and timestamp.
Practices and processes includes defining the operations of SBOM requests, generation and use including frequency, depth, known unknowns, distribution and delivery, access control and accommodation of mistakes.
Automation support is so important it warrants separate mention.
Use Automation to Meet SBOM Requirements
The Executive Order requires software inventories to be automatically generated in a machine-readable format. An SBOM that does not support automation will not be compliant with requirements.
The Commerce Department specifically mentions supporting automatic generation and machine-readability to allow for scaling across the software ecosystem. Data formats used to generate and consume SBOMs include SPDX, CycloneDX, and SWID tags.
SBOMs should be automated as well as dynamic. When evaluating SBOM tools, organizations should look for capabilities such as the ability to build a live inventory of all its software components, everywhere and at any point in the software development lifecycle; search and find vulnerable components across billions of files; use runtime analysis to know if detected bugs are exploitable in a specific environment; export and share SBOMs in standard formats; and continuously monitor and update SBOMs in real-time to account for changes as they’re introduced.
Keep Up with Future SBOM and Compliance Developments
As the Commerce Department report notes, SBOM is an emerging technology and practice.
“The foundation for a more complete approach to securing the software supply chain is to securely capture details from across the software lifecycle, with cryptographic assurance,” the report says. “The minimum elements of SBOM starts this process, but there is more to do.”
Capturing more metadata is helpful, it says, “but effectively using this data requires automation, and automation requires the potential for both automated consumption and policy enforcement. This will require not just machine readability, but also semantic interpretation, which in turn will require further work on data specifications and standardization.”
It behooves security leaders and others involved in the SBOM process to stay on top of new developments in this area.