Sorry, you need to enable JavaScript to visit this website.
Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.

Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.


The site is secure.

The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.


  1. Home

Progress on Software Component Transparency

April 8, 2019
Allan Friedman, Director of Cybersecurity Initiatives, Office of Policy Analysis and Development

NTIA is hosting its fourth multistakeholder meeting April 11 on software component transparency to work on ways to enable a more secure software ecosystem. We’re excited to report that a great deal of progress has been made since the effort started eight months ago. The goal is to increase transparency around the use of third party software components so that when vulnerabilities are detected, there is a way to quickly remedy problems

The idea is that software developers and organizations can create and share a “software bill of materials” (SBOM) that lists the components that make up software – a concept somewhat similar to food ingredient lists for every product on grocery store shelves.

Since first beginning this work in July 2018, the group has reached broad consensus around the basic value of a software bill of materials. Several working groups are digging into the details of how this would work, and studying what a more secure future can look like if stakeholders widely adopt SBOM across the Internet ecosystem.

It is one thing to talk about a technology, but showing how it works makes a stronger case for illustrating why this is a worthwhile pursuit, particularly with emerging technology like IoT. The medical device community has stepped forward with a proof-of-concept to demonstrate the feasibility of an SBOM in practice. This pilot, involving several medical device manufacturers and a handful of hospitals that use them, will explore how the data can be generated, shared, and used to improve security practices.

We hope to look at other use cases across diverse sectors in the months ahead. We see real potential for positive disruption, as the next generation of software and security tools build upon this soon-to-be-available data to make the software world more secure and trustworthy.