The Cybersecurity and Infrastructure Security Agency has issued the third edition of its guidance aimed at promoting transparency in the supply chain of software components. The new document, titled “Transparency: Establishing a Common Software Bill of Materials,” amplifies the baseline attributes needed for establishing transparency cited in the second guidance edition issued in 2021, CISA said Tuesday.
The updated edition will serve as a detailed guide for creating software bills of materials, or SBOMs, the agency added. It defines an SBOM as “a formal, machine-readable inventory of software components and dependencies, information about those components and their relationships.”
The new guidebook clarifies the expectations for each SBOM baseline attribute. It also adds two baseline attributes—license and copyright holder—and includes risk management in the SBOM consumption process.
CISA developed the 39-page guidance through its community-driven working group and software community input.
In April 2023, the Department of Homeland Security’s Science and Technology directorate selected seven start-ups to build SBOM-based products to help CISA create a multi-format SBOM translator and a software component identifier translator as foundational open-source software libraries.
Join the Potomac Officers Club’s 2024 Homeland Security Summit on Nov. 13, to learn more about the major threats against the United States and the efforts underway to address them. Register now!