NTIA Releases Minimum Elements for SBOM
Yesterday the DOC’s National Telecommunications and Information Administration (NTIA) published their report on the minimum elements for a software bill of materials (SBOM) as required by President Biden’s EO 14028. The report outlines three broadly defined minimum elements, explains how they can currently be implemented and used and points the way forward for expanding the usefulness of SBOM. NTIA had solicited public input on the development of these minimum elements last month, but has been working on the topic with an open work group since 2018.
Three Minimum Elements
The announcement lists the three minimum elements as required by EO 14028:
Data Fields: Documenting baseline information about each component that should be tracked,
Automation Support: Allowing for scaling across the software ecosystem through automatic generation and machine-readability, and
Practices and Processes: Defining the operations of SBOM requests, generation and use.
The report goes into more detail (see the page numbers listed below) about each of the elements.
Data Fields (pgs 8-10)
The report provides an initial list of proposed fields that would make up the Data Fields element of the SBOM. NTIA expects that that list of fields would be expanded and improved as the use of SBOM matures.
Supplier name - The name of an entity that creates, defines, and identifies components,
Component name - Designation assigned to a unit of software defined by the original supplier,
Version of component - Identifier used by the supplier to specify a change in software from a previously identified version,
Other unique identifiers - Other identifiers that are used to identify a component, or serve as a look-up key for relevant databases,
Dependency relationship - Characterizing the relationship that an upstream component X is included in software Y,
Author of SBOM data - The name of the entity that creates the SBOM data for this component, and
Timestamp - Record of the date and time of the SBOM data assembly.
Automation Support (pgs 10-11)
The report lists the three different SBOM data formats that are currently in use:
Software Package Data eXchange (SPDX),
CycloneDX,
Software Identification (SWID) tags.
Practices and Processes (pgs 11- 13)
The report discusses the following topics supporting this element:
Frequency,
Depth,
Known Unknowns,
Distribution and Delivery,
Access Control, and
Accommodation of Mistakes
Conclusion
NTIA acknowledges that these three minimum requirements are just that, MINIMUM. They outline much of the near term works that needs to be done. In the conclusion to their report NTIA notes (pgs 21-2):
These minimum elements will be a key input into the Federal Government’s work to improve the security and integrity of the software supply chain, particularly for critical software. Executive Order 14028 defines these next steps, notably calling for specific guidance, including “standards, procedures, or criteria.” To support and complement this work, the Federal Government should encourage or develop resources on how to implement SBOMs, potentially involving sector-specific or technology-specific details. It will be important to build on, and potentially expand the public-private partnerships that have already been established and which have focused on defining and operationalizing SBOM’s related supply chain work.