The cost of cyberattacks on software supply chains is a growing problem, with the average data breach costing $4.45 million in 2023. Since President Biden’s 2021 executive order, software bills of materials (SBOMs) have become a cornerstone in protecting supply chains.
In December 2023, the National Security Agency (NSA) published new guidance to help organizations incorporate SBOMs and combat the threat of supply chain attacks.
Let’s look at how things have developed since Biden’s 2021 order and what these updates mean for the owners and operators of national security systems.
Navigating new standards: NIST and CISA’s contributions
Since 2021, the National Institute of Standards and Technology (NIST) and Cybersecurity and Infrastructure Security Agency (CISA) have been pivotal in shaping SBOM standards. Their guidelines aim to offer companies and operators a complete picture of software components, including open-source software.
An SBOM should provide transparency into the ingredients of software, including:
Open-source libraries and dependencies
Commercial/proprietary libraries and modules
Services and tools
Versions of libraries and components
Relationships between components
Licensing information.
It’s important to collect and share this information in a clear format. There are three commonly-used standards for SBOMs:
Software Package Data Exchange (SPDX®): An open-source, machine-readable format developed by the Linux Foundation. ..
Support the originator by clicking the read the rest link below.
