What to Know About the CISA Software Bill of Materials Sharing Lifecycle Phases
As Software Bill of Materials (SBOM) adoption efforts mature, a report recently released by the Cybersecurity and Infrastructure Security Agency (CISA) provides guidance to users in selecting suitable SBOM sharing platforms based on the amount of time, resources, subject-matter expertise, effort, and access to tooling available to them to implement a phase of the SBOM sharing lifecycle.
The lifecycle has three phases: discovery, access, and transport. A discovery method is used to enable a consumer to identify the location of an SBOM. In the access phase, the consumer fulfills any authorization requirements put in place by the provider. After authorization is granted, a transport method is provided.
The consumer may be the end user of the SBOM. In that case, CISA said the cycle will be completed after the transport phase of the SBOM. But the consumer could also be a downstream author, and if so, they may perform an “enrichment activity” and add additional information to the SBOM or create a new product—such as incorporating the data into another SBOM to expand information about its internal components. Then the sharing phase begins again with the downstream author.
Here’s a more granular look at the lifecycle phases.
The CISA Software Bill of Materials (SBOM) Lifecycle Phases
The lifecycle starts with determining how a consumer will find out about the existence of an SBOM from the author or provider. This could be done through a vendor’s website or a location within the software source code. The report gets into further detail about the level of sophistication of the ‘interested parties,” from low to medium to high, with examples.
A low-sophistication implementation might be the consumer emailing the author to find out if an SBOM exists and how they might obtain it. A medium-sophistication implementation example might be if a provider creates an email distribution list alerting of new SBOMs.
In the latter example, email is still utilized; however, consumers no longer need to manually inquire about new SBOMs. This process is not personalized and may distribute information that is not relevant to each individual member of the distribution list, in addition to not providing historical or past SBOMS.
In a high-sophistication approach, a provider creates an email distribution list alerting interested users of new SBOMs and consumers no longer need to manually inquire about new SBOMs. The report notes that this process is not personalized and information may be distributed that is not relevant to each member of the distribution list, nor will historical information or past SBOMS be provided.
Once an SBOM’s location has been discovered, the next step is to obtain access to the data. Again, there are different levels of sophistication. In a low-sophistication example, a provider manually vets requests for an SBOM when responding to a consumer’s emailed request. A medium implementation example would be the use of a login portal with a manual review of account creation requests. A high-sophistication implementation would be the use of a login portal with automation involved in the account creation process. Consumers can obtain access in an automated fashion without major manual intervention.
Once a consumer has gotten the necessary permissions and access they will be able to read, download, or otherwise obtain the SBOM data itself during the transport phase of the SBOM sharing lifecycle.A low-sophistication transport method might be a provider manually sending an SBOM to anyone who requests it, perhaps as an email attachment. A medium-sophistication of transport can mean using methods such as HTTPS. For high sophistication, an API “should be present, consistent, and repeatable.
In part two of the CISA report, we’ll take a look at the results of a survey CISA conducted on how stakeholders share SBOMs.
About the author: Esther Shein is a longtime freelance tech and business writer and editor whose work has appeared in several publications, including CIO.com, TechRepublic, VentureBeat, ZDNet, TechTarget, The Boston Globe and Inc. She has also written thought leadership whitepapers, ebooks, case studies and marketing materials.