Cybersecurity

In 2018, NTIA launched its Multistakeholder Process on Software Component Transparency, bringing together an active, engaged community to formulate and establish a software bill of materials (SBOM) – a nested inventory that makes up the “ingredients list” for software.

The stakeholders in our process initially focused on defining the problem: the what, the why, and the how of software component transparency. They established common, consensus definitions, and emphasized the importance of a "baseline" SBOM.

Experts from the healthcare and medical device community stepped up early in the process to demonstrate that this idea was both feasible and useful for their industry.  They launched the first SBOM "proof of concept," sharing their experiences, successes, and challenges in public documentation from which the broader community could learn.

Next, the community shifted its efforts to jumping technical hurdles, as well as identifying existing tools and gaps in the ecosystem.

They emphasized a mantra of "crawl, then walk, then run" to promote adoption across the ecosystem. They developed videos to help educate the public.

Along the way, what was an obscure idea became a key part of the global agenda around securing software supply chains.

In his Executive Order (EO) on Improving the Nation’s Cybersecurity, President Biden identified the prevention, detection, assessment and remediation of cyber incidents as a top priority of his Administration. The Commerce Department and NTIA were directed by the EO to publish the minimum elements for a Software Bill of Materials (SBOM), a key tool to help create a more transparent and secure software supply chain. As the President notes, “the trust we place in our digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is.”

An SBOM provides those who produce, purchase, and operate software with information that enhances their understanding of the supply chain. Though an SBOM won’t solve all software security problems, it offers the potential to track known newly emerged vulnerabilities and risks, and it can form a foundational data layer on which further security tools, practices, and assurances can be built.