The US Cybersecurity and Infrastructure Security Agency (CISA) has published the third edition of Framing Software Component Transparency, a key document aimed at improving the clarity and usage of the Software Bill of Materials (SBOM).
This latest version, developed by CISA’s SBOM Tooling & Implementation Working Group, introduces refined guidelines on SBOM creation and software component identification.
These updates are intended to help organizations address the growing challenges of software supply chain transparency and security.
New Guidance on SBOM Creation
The third edition of Framing Software Component Transparency expands on the 2021 edition by further defining essential SBOM attributes.
These attributes are organized into three levels - minimum expected, recommended practices and aspirational goals - offering organizations a clear framework for managing software components.
CISA said the guidance is crucial for identifying and tracking software vulnerabilities, streamlining incident response and reducing risks within increasingly complex software supply chains.
The report emphasizes that simply including baseline information in an SBOM is insufficient to address all use cases. As the use of SBOMs grows, organizations will need to adopt more advanced practices for sharing and managing this data.
These efforts are vital as global enterprises face mounting operational and supply chain security challenges due to the limited visibility of software components deployed in their environments.
Read more: Leveraging Trust and Visibility to Comply with New EU Cyber Regulations
SBOMs offer a harmonized model for increasing cybersecurity automation and improving overall transparency.
Importance of Baseline SBOM Attributes
To facilitate rapid adoption, the report also defines a set of baseline attributes necessary for SBOMs to be useful.
These attributes align with existing formats such as SPDX and CycloneDX, enabling software components to be uniquely identified and linked across supply chains.
By ensuring this basic level of transparency, organizations can better manage security, track vulnerabilities and implement mitigations.
The document also highlights the need for more robust data to support a variety of identified use cases, including enhanced asset and IP management.
SBOMs and the Future of Software Supply Chain Security
CISA’s new guidelines come at a critical time when organizations worldwide are grappling with increasing software supply chain risks. The lack of visibility into software components has left many questions about known vulnerabilities unanswered.
The establishment of standardized SBOM formats is expected to address these gaps, enabling end-user organizations and software vendors to monitor and manage the security of their networks more effectively.
The continued evolution of SBOMs will depend on developing coordinated methods for sharing SBOM data and the availability of automated tools to support their creation and use.
As organizations adopt SBOMs, CISA’s new guidance aims to ensure that critical information is captured and exchanged efficiently, leading to better asset management, vulnerability tracking and overall risk management.