Software Bill of Materials Event Summary
Introduction
On September 7, the Cybersecurity Coalition hosted a two-part event on Software Bill of Materials (SBoM). The event began with a public webinar in the morning that outlined the current state of SBoM and identified challenges to its use and adoption within two specific use cases. The event finished with a workshop in the afternoon that sought to provide practical next steps to addressing those challenges. This document summarizes the key points, takeaways, and paths forward that were identified through the course of the day.
Morning Webinar
The morning webinar portion of the event laid the groundwork for the afternoon sessions through a series of panels that investigated the current state of SBoM, and the challenges and opportunities of SBoM use and adoption in the context of component vulnerability and procurement transparency.
Panel 1: State of SBoM Today
The first panel provided a down-to-earth assessment of the actual maturity of SBoM as it exists today. This panel identified that while SBoM has significant potential to aid security in a variety of contexts, additional work is necessary to meet this potential. The areas identified included:
· The need for more clarity and consistency around the content of SBoMs;
· The potential reticence for organizations to make SBoMs public;
· The mistaken belief that SBoMs provide provenance;
· The need for standardization; and
· The need to ensure that SBoMs are seen as one part of overall risk management, not as a standalone solution itself.
Panel 2: Component Vulnerability
The second panel delved into the use of SBoMs within the context of the component vulnerability use case. This panel discussed how past efforts, such as CPE[SGM1] could be instructive, how existing standards like CVE could factor into SBoM efforts, and how SBoM integrates with vulnerability management. Issue areas identified included:
· The need to be able to trust/verify that SBoMs are accurate and untampered with;
· The need for unique identifiers;
· The need for a discovery service for SBoMs;
· The need for accurate asset inventory to make full use of SBoMs;
· The need for SBoMs to be created at development time – not reversed engineered; and
· The need or Pilot programs.
Panel 3: Procurement Transparency
The final panel of the event explored the use of SBoMs within the context of the procurement transparency use case. The panel discussed how SBoM’s are currently being used in the procurement process, how they are being shared and updated, and what concerns exist related to making them public. Issue areas identified included:
· The significant legal concerns over how SBoMs may be used;
· The significant concern that lawmakers are acting too quickly with respect to legislation;
· The need to eventually be able to comparatively evaluate SBoMs;
· The use of SBoMs to assess developer maturity; and
· The lack of overall industry maturity to use SBoMs - including the lack of tools, sharing mechanisms, and standardized formats.
Afternoon Workshop
The afternoon workshop was split into two sessions that involved a guided discussion around the two SBoM use cases, component vulnerability and procurement transparency. Input was sought on practical steps that could be taken, by both producers and consumers of SBoMs, to maximize their effectiveness in supporting the use cases. Additionally, the workshop attempted to address broader questions that were raised in the morning panel.
Takeaways from the workshop session included:
· The need for government industry dialogue on what is the right level of information/detail of information;
· A needed push for alignment across global SBoM efforts;
· The need for standardization;
· The need to understand what use cases the government wants to use SBoM for;
· The awareness that regulatory pressure is getting ahead of solutions;
· Compliance and certification costs may take resources away from security; and
· A need to understand the value of SBoM in Cloud.
Conclusion
The Cybersecurity Coalition will continue to work with government and industry partners to drive the implementation of SBoMs in a manner that is beneficial for software producers and consumers. This will include activities to support consistent implementation of SBoMs within the United States and internationally. We will seek to create pilots to enhance the ability of stakeholders to smoothly implement SBoMs in a timely fashion. We will also continue to provide thought leadership with respect to SBoM use cases and implementation. This work may take the form of papers, workshops, and small group discussions.
Appendix
· Cybersecurity Coalition SBoM position paper
https://www.cybersecuritycoalition.org/reports/cybersecurity-coalition-sbom-position-paper
· House NDAA section 6722 on page 3138
https://www.congress.gov/117/bills/hr7900/BILLS-117hr7900pcs.pdf
· Senate NDAA section 1627 on page 771
https://www.armed-services.senate.gov/imo/media/doc/fy23_ndaa_bill_text2.pdf
· OMB Memorandum on Enhancing the Security of the Software Supply Chain through Secure Software Development Practices
https://www.whitehouse.gov/wp-content/uploads/2022/09/M-22-18.pdf
· CISA SBoM activities
· NTIA SBoM landing page