Software Bill of Materials (SBOM) , Standards, Regulations & Compliance
CISA's New SBOM Guidance Faces Implementation Challenges
Many Organizations Lack Resources to Develop Adequate SBOM Consumption ProcessesMany organizations will struggle to implement new software security guidance from the U.S. Cybersecurity and Infrastructure Security Agency, industry experts say, citing a lack of specific components required to effectively develop and scale a consumption process for software bills of materials.
See Also: State of Software Security: Has It Moved Past Unacceptable?
The cyber defense agency published recommended practices on Thursday for software vendors and suppliers to help secure the supply chain and enhance SBOM consumption, which allows organizations to mitigate vulnerabilities by identifying the software components across their systems. The guidance, which CISA published along with the NSA and Office of the Director of National Intelligence, includes best practices for developing SBOM generation and consumption processes, from obtaining additional SBOMs when software is updated to assessing the risks associated with vulnerabilities discovered through SBOMs.
CISA, the NSA and ODNI acknowledged throughout the guidance that adequate SBOM consumption programs will require investments in resources and the extensive use of automated tools and processes. That presents a "major obstacle" for organizations seeking to improve their software security, according to Jeff Martin, vice president of product for the application security firm Mend.io.
Martin told Information Security Media Group the guidance provides organizations with "little help" in choosing the correct rubrics for their SBOM operations "other than the most broad characteristics."
"Any company seeking to have an effective, scaled, SBOM generation or consumption process will need to do significantly more research and solution evaluation," he said.
Martin said the new guidance lists some elements that can be included in SBOM risk scores to help provide organizations with a comprehensive understanding of potential security risks associated with software components, but it fails to endorse a standard "other than to say one should be developed."
CISA previously published a three-part series of guidance in 2022 for software developers, vendors and consumers on securing the software supply chain. The agency has also promoted the importance of SBOMs in security operations through a range of events, reports and resources for public and private sector organizations over the years.
SBOM consumption nonetheless remains "a huge challenge," said Bryan Willett, chief information security officer for Lexmark, who said that many organizations lack the tools required to manage SBOMs.
"The challenge is: SBOM alone just creates a massive additional layer of work," Willett told ISMG, adding that adequate processes require dedicated staffing and a mature configuration management and asset database.
The guidance states that the primary purpose of an SBOM "is to identify components and their relationships to one another," and emphasizes that certain baseline component information is crucial for accurate assessments, including product version numbers and dependency identifiers. The document acknowledges that best practices and requirements will likely advance as the SBOM ecosystem matures.
"SBOM is just a starting point. It isn't an endgame," said John Harmon, regional vice president of cyber solutions for the security firm Elastic. "It is a layer that is needed to understand when a vulnerability is disclosed that we have the intelligence to move to action more quickly or in the future, automatically."