WASHINGTON – Today, global tech trade association ITI recommended the Biden Administration continue to approach supply chain security in a holistic manner as it considers Software Bill of Materials (SBOM) minimum elements in its implementation of the Executive Order on Improving the Nation’s Cybersecurity. In a comment submission to the National Telecommunications and Information Administration (NTIA), ITI underscores that an SBOM, which is essentially a record of certain information regarding components that comprise a piece of software, can provide value but is only one tool that can be used to address software supply chain security challenges.
As it seeks to define the minimum elements of an SBOM, ITI notes that NTIA should consider that any vulnerability information included in an SBOM is only as helpful as the context surrounding it. NTIA should also be mindful that any potential requirements that stem from this exercise are not duplicative with existing standards and frameworks, particularly as applied to federal contractors.
“We applaud NTIA’s multi-stakeholder efforts to facilitate transparency of, and trust in, software components as foundational tenets to improving cybersecurity,” said John Miller, ITI Senior Vice President of Policy and General Counsel. “SBOMs are an important transparency enhancing tool but should not be misconstrued as a mechanism to improve secure software development practices. Importantly, NTIA should not try to solve the entire complex supply chain security challenge through SBOMs, but should instead focus on making them viable by keeping their minimum elements as simple as possible.”
ITI encouraged NTIA, and the U.S. government more broadly, to make key considerations as it seeks to implement this part of the EO, including ensuring that the scope of an SBOM delineate whether it should include first-party code or only third-party code; the potential for cyber risk and revelation of insights about sensitive market dynamics in cases where SBOMs are publicly disclosed; and the cost associated with creating SBOMs which could take away resources from other critical areas, like building software integrity practices.
ITI offered specific recommendations for SBOMs including:
Outlining the minimum elements for data fields as: Component Name, Supplier Name, Version of the software component, and Origin (which could be different than Supplier Name). This would exclude proposed minimum elements of “dependency relationship” and “cryptographic hash.”
Making access to SBOMs limited to a need-to-know basis and ensuring that roles are specified in applicable contracts.
Urging NTIA and NIST to convene stakeholders to explore several additional operational considerations, including methods to address questions related to software identity, including how to handle inventorying beyond the version number. As NIST fulfills its mandate to develop guidance that enhances the security of the software supply chain pursuant to Section 4 of the EO, it is required to consider whether and how to incorporate relevant standards, procedures or criteria regarding SBOM.