The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released the third edition of its Framing Software Component Transparency document. This updated version provides enhanced definitions and clarifications of Software Bill of Materials (SBOM) attributes, including detailed descriptions of minimum standards, recommended practices, and aspirational goals for each attribute. The document is a result of extensive discussions within the SBOM Tooling and Implementation Working Group, a CISA community-driven workstream, and feedback from the software community.
It builds on the “Minimum Elements for a Software Bill of Materials” published by the National Telecommunications and Information Administration (NTIA) in 2021, which established the U.S. Government’s minimum requirements for an SBOM. CISA’s updated document aims to further clarify U.S. Government expectations under the Office of Management and Budget (OMB). It emphasizes that the lack of transparency in software composition has contributed to cybersecurity and supply chain risks, as well as increased costs in software development, procurement, operations, and maintenance.
Software supply chain transparency can help manage risks, reduce overall costs, enhance vulnerability management, and streamline incident response processes. It can also help identify suspicious or counterfeit software components, improve resilience through stakeholder collaboration, and enhance the accountability of secure software development practices. The Framing Software Component Transparency document describes an SBOM framework for universally applicable software component information sharing.
It addresses the creation and sharing of SBOMs, the roles of participants, and the integration of SBOMs with all supply chains.
Updated software transparency guidance
The document establishes a minimum expectation for creating a baseline SBOM that outlines the essential information required.
It also incorporates two additional levels of data maturity—recommended practice and aspirational goals—to encourage stakeholders to evolve their SBOM content. Authentication and integrity protection are critical for an SBOM ecosystem. Authors must be able to digitally sign SBOMs, and consumers must be able to verify signatures.
This requires an appropriate digital signature and public key infrastructure. The document also provides detailed guidance on creating and exchanging SBOM information from three stakeholder perspectives—those who produce, choose, and operate the software. To create an SBOM, the supplier defines components, produces baseline and any supplemental attributes for those components, and enumerates all directly included components.
In conclusion, the document recognizes that global organizations face operational and secure supply chain software assurance questions about the software deployed in their environments. Increased cybersecurity automation and software transparency can help enterprises manage network security better and enable vendors to monitor their components. Establishing a harmonized model for creating and sharing SBOMs is crucial for better asset management, IP management, and implementation of mitigations.
Noah Nguyen is a multi-talented developer who brings a unique perspective to his craft. Initially a creative writing professor, he turned to Dev work for the ability to work remotely. He now lives in Seattle, spending time hiking and drinking craft beer with his fiancee.
