The National Telecommunications and Information Administration (NTIA) is seeking feedback on what to include in its Software Bill of Materials (SBOM), as directed by President Biden’s cybersecurity executive order.
The executive order directed the Department of Commerce, in coordination with NTIA, to “publish the minimum elements” for an SBOM, according to a June 2 Federal Register notice.
Just as a chef would follow a recipe for a meal, software developers and vendors often refer to an SBOM when building software. NTIA wants to know what to include in its “list of ingredients” in order to increase transparency in the software supply chain.
“A widely used, machine-readable SBOM format allows for greater benefits through automation and tool integration,” the White House said in its executive order. “The SBOMs gain greater value when collectively stored in a repository that can be easily queried by other applications and systems. Understanding the supply chain of software, obtaining an SBOM, and using it to analyze known vulnerabilities are crucial in managing risk.”
NTIA is requesting comments “on the minimum elements for an SBOM, and what other factors should be considered in the request, production, distribution, and consumption of SBOMs,” according to the notice.
However, some argue that an SBOM would not prevent major cyberattacks, and that NTIA’s call for comment may leave more questions about the level of detail needed for SBOMs.
“The concept [of SBOMs] certainly bears merit in a commonsense way – knowing what other software is included in a product can speed the response in a supply chain vulnerability or incident response scenario,” Katie Moussouris, founder and CEO of Luta Security, said in her written testimony for a May 27 hearing before the House Science Subcommittee on Investigations and Oversight.
“However, producing or consuming an SBOM would have no effect in stopping or detecting either the SolarWinds nor the CodeCov supply chain attacks,” Moussouris said. “The public comment period for defining the minimum SBOM requirements will leave even more questions about the level of effort required for each organization attempting to comply with that section of the EO, depending on the depth of information that is determined to comprise the minimum SBOM.”
Nevertheless, NTIA’s public comment period ends on June 17.