Minimum Components of an SBOM Published by NTIA

  /  ICS Security   /  Minimum Components of an SBOM Published by NTIA
ICS Cybersecurity

Minimum Components of an SBOM Published by NTIA

The NTIA (National Telecommunications and Information Administration) recently published the minimum elements for a Software Bill of Materials (more commonly known as SBOM).

Definition of an SBOM

Although the NTIA has been conducting a transparent, multistakeholder process since 2018, the starter’s pistol went off on May 12 when President Biden signed Executive Order 14028 — Improving the Nation’s Cybersecurity (see aDolus’ other blog posts on the EO). The EO tasked NTIA with publishing the minimum elements of an SBOM. If you are unfamiliar with SBOMs, here is the NTIA definition:

An SBOM is a formal record containing the details and supply chain relationships of various components used in building software … An SBOM provides those who produce, purchase, and operate software with information that enhances their understanding of the supply chain, which enables multiple benefits, most notably the potential to track known and newly emerged vulnerabilities and risks.

To be clear, the 28-page document established the minimum elements of an SBOM. The NTIA is quite emphatic about that. More than 8 pages are dedicated to Sections 5 “Beyond Minimum Elements: Enabling Broader SBOM Use Cases” and 6 “Future SBOM Work.” So we can look forward to future improvements, while still making immediate progress. Or, to borrow their own phrase, “starting today is better than waiting for perfection.”

The minimum elements NTIA describes are organized into these three categories.

  • Data Fields
  • Automation Support
  • Practices and Processes

Read the full post from aDolus to learn more about the minimum elements of an SBOM.

 

About the Author

This article was written by Derek Kruszewski, P. Eng, Artificial Intelligence Analyst, aDolus.

 

Learn from global ICS cybersecurity subject matter experts as they share insights on topics like Cybersecurity for Manufacturing, Energy and Infrastructure Industries and The Role of AI in ICS Cybersecurity at IIoT World’s Cybersecurity Day on October 6, 2021. The first 500 tickets are free, so register today.

Post a Comment