The Cybersecurity and Infrastructure Security Agency (CISA) joined the National Security Agency (NSA) and 19 other international partners to release a joint guide on the value of implementing a software bill of materials (SBOM).
The group said the guide lets producers of software, organizations producing software and operators of software know about the advantages of integrating SBOM generation, analysis and sharing into their security processes and practices. As modern software increasingly relies on third-party and open-source components, the SBOM offers a step toward understanding and mitigating supply chain vulnerabilities, the partnership said.
“The ever-evolving cyber threats facing government and industry underscore the critical importance of securing software supply chain and its components. Widespread adoption of SBOM is an indispensable milestone in advancing secure-by-design software, fortifying resilience, and measurably reducing risk and cost,” Madhu Gottumukkala, Acting Director of CISA said. “This guide exemplifies and underscores the power of international collaboration to deliver tangible outcomes that strengthen security and build trust. Together, we are driving efforts to advance software supply chain security and drive unparalleled transparency, fundamentally improving decision-making in software creation and utilization.”
Official said an SBOM is a formal record of all the components and supply chain relationships used in building software. The SBOM acts as a software “ingredients list” and provides organizations with visibility while allowing them to identify components, risks and mitigation vulnerabilities. Use of SBOMs are encouraged by software producers, purchasers and operators. A coordinated, global approach to SBOM will reduce complexity, improve effectiveness and support secure-by-design software development, they said.