SBOM in compliance β
EU Cyber Resiliance Act πͺπΊ β
The European Cyber Resilience Act (CRA) includes requirements for the identification and management of supply chain risks, and the proposed European Cybersecurity Certification Scheme would likely require the use of Software Bill of Materials (SBOM) and secure software development practices. The Cybersecurity Resilience Act lays out specific actions and strategies regarding the responsibility and the means to protect software vulnerabilities, including specifying vulnerability reporting format and requirements, anchored in the form of a SBOM.
Guide of Introduction of SBOM for Software Managementπ―π΅ β
Japan's Ministry of Economy, Trade and Industry (METI) published a guide to promote SBOM use. Highlighting growing software security concerns, METI targets software suppliers with this guide, which details the benefits and steps for implementing SBOMs. This initiative aims to improve software vulnerability management, enhance development productivity, and bolster overall cybersecurity in Japanese industries.
Technical Guideline TR-03183 π©πͺ β
The Technical Guideline TR-03183: Cyber Resilience Requirements for Manufacturers and Products Part 2 Software Bill of Materials (SBOM) provides essential guidance for creating an SBOM. The Technical Guideline TR-03183 aims to provide manufacturers with advance access to the requirements that will be imposed by the future EU Cyber Resilience Act (CRA). While it is recommended (but not obligatory), it serves as a basis for discussion both within the EU and internationally.
SBOM startersgids π³π± β
The Dutch National Cyber Security Center (NCSC) has published a SBOM Starter Guide to assist managers involved in their organization's cybersecurity strategy with implementing SBOMs. This guide explores how organizations can establish processes for using SBOMs, create, manage, and share them effectively, and develop strong agreements with vendors. It also dives into how SBOMs can be utilized for vulnerability management and offers additional insights through supporting frameworks.
The Minimum Elements for a SBOM πΊπΈ β
The NTIA Minimum Elements for an SBOM requires that SBOMs show, for each software component: supplier, component name, version, any unique identifiers like CPE SWID or PURL, dependency relationship, and the author of this information along with a time/date stamp when it was generated. The minimum elements of an SBOM build on three broad, interrelated areas: Data fields, Operational considerations, and Support for automation. SBOMs must comply with at least one of the following SBOM standards: Software Package Data eXchange (SPDX), CycloneDX, or Software Identification (SWID) tags. The minimum elements of an SBOM will enable basic use cases, such as management of vulnerabilities, software inventory, and licenses.
White House Executive Order 14028 πΊπΈ β
The White House Executive Order on cybersecurity includes new security requirements for software vendors selling software to the U.S. government. It emphasizes the importance of enhancing software supply chain security through the Software Bill of Materials (SBOM). The Executive Order defines an SBOM as βa formal record containing the details and supply chain relationships of various components used in building softwareβ.