NTIA Software Component Transparency
This site features information and resources for the ongoing Software Component Transparency effort around Software Bill of Materials (SBOM). For published stakeholder-drafted consensus documents on SBOM, please visit ntia.gov/SBOM.
SBOM Virtual Multistakeholder Meeting
Next meeting date: TBD
In January through April of 2021, NTIA hosted SBOM info sessions for the Energy and Bulk Power community, offering some background and more technical information around SBOM. Slides and videos are below:
- Presentation: An overview of SBOM
- Presentation: SBOM use cases for the energy sector
- Presentation: Experimenting with SBOM – lessons from the healthcare sector
- Presentation: Experimenting with SBOM – early steps in the Automotive sector
- Video: Introductory SBOM Information Session for the Energy Community (1 hour)
- Presentation: Technical Overview: Framing and Architecture
- Presentation: Technical Overview: Formats and Tooling
- Video: Technical SBOM Information Session for the Energy Community (1 hour)
- Presentation: Medical Device Manufacturer Perspective and Lessons
- Video: Information Session - Lessons Learned from the Community (1 hour)
- Presentation: Exploring a Proof-of-Concept for the Energy Sector
- Video: Information Session - Planning a Proof-of-Concept for the Energy Sector
For more information, or to join a working group, please email mdoscher@ntia.gov.
At the November 18 in-person meeting, following the publication of the first round of SBOM deliverables, stakeholders discussed how the activities identified as next steps should be divided among the existing working groups. Information on those working groups is below, along with some participation information. For more information or background, please email mdoscher@ntia.gov.
Framing Working group
Work will focus defining and refining the specification of SBOMs, with attention to obstacles to broader, more scalable adoption. Topics identified include: component identity and naming, how to share SBOMs, how to characterize non-exploitability vs. vulnerability, SBOM integrity and high assurance data, SBOMs for Cloud/SAAS, and others.
Working group call: Fridays, 2:00pm-3:00pm ET
Join the group: https://lists.sei.cmu.edu/mailman/listinfo/ntia-sbom-framing.
Awareness and Adoption
Work will focus on promoting SBOM as an idea and a practice. Tasks identified include: building a broader outreach strategy with outreach targets; shorter documents with specific outreach goals for sectors, organizational role, etc; coordinating with related efforts; more explicit business cases for SBOM adoption.
Working group call (tentative): Fridays, 1:00pm-2:00pm ET
Join the group: https://lists.sei.cmu.edu/mailman/listinfo/ntia-sbom-practices
Formats & Tooling
Working group will focus on how to automate SBOM production and use. Initial goals are to catalog existing tools for SBOMs in the different identified standards (SPDX, SWID, CycloneDX) and develop a translator between these formats. Further work will include a gap analysis in SBOM tools, and potentially explore SBOM processes and playbooks.
Working group call: Alternate Fridays, 11:00am-12:00pm ET
Join the group: https://lists.linuxfoundation.org/mailman/listinfo/ntia-sbom-formats
Healthcare Proof of Concept
Working group will plan and execute a second proof-of-concept exercise, with an expanded set of healthcare participants and the inclusion of IT and security industry partners. The group will also advise other industry players interested in SBOM demonstrations.
Working group call: Thursdays, 1:00pm-2:00pm ET
Join the group: https://lists.sei.cmu.edu/mailman/listinfo/ntia-sbom-healthcare
Prior Meetings
Meeting date: April 29
- April 29 Draft Meeting Agenda
- Framing Working Group Presentation
- Formats and Tooling Working Group Presentation
- Healthcare POC Working Group Presentation
- Awareness & Adoption Working Group Presentation
Meeting date: January 13
- 01/13/2021 Meeting Agenda
- Framing Working Group Presentation
- Awareness & Adoption Working Group Presentation
- Formats and Tooling Working Group Presentation
- Healthcare Proof-of-Concept Presentation
Meeting date: October 22
- October 22 Meeting Agenda
- Framing Working Group Presentation
- Formats and Tooling Working Group Presentation
- Healthcare POC Presentation
- Awareness and Adoption Presentation
- Framing Draft: Sharing and Exchanging SBOMs
- Framing Draft: Software Identification Challenge and Guidance
- Framing Draft: Requirements for Sharing of Vulnerability Status Information ("VEX")
- Formats and Tooling Draft: Playbook for SBOM Consumers
- Healthcare POC Draft: SBOM PoC Quick Start Guide for HDOs
- Awareness & Adoption Draft: Expanded FAQ
Meeting date: July 9, 2020
- 07/9/20 Meeting Draft agenda
- Framing Working Group Presentation
- Framing Group Draft: Software Identity Discussion and Guidance
- Framing Group Draft: Sharing and Exchanging SBOMs
- Healthcare Proof-of-Concept Presentation
- Formats & Tooling Working Group Presentation
- Formats & Tooling Draft: SBOM Tool Classification Taxonomy
- Awareness & Adoption Working Group Presentation
- Awareness & Adoption Draft: SBOM Overview “two pager”
- Awareness & Adoption Draft: FAQ
Meeting date: April 15, 2020
- 04/15/20 Meeting Agenda
- Framing Working Group Presentation
- Framing Working Group Naming Use Cases
- Formats and Tooling Presentation
- Awareness and Adoption Presentation
- Awareness and Adoption Draft FAQ
- Healthcare Proof of Concept Presentation
Meeting date: February 13, 2020
Meeting presentations:
- Framing Working Group Presentation
- Healthcare Proof of Concept Presentation
- Formats and Tooling Presentation
- Awareness and Adoption Presentation
Meeting date: November 18, 2019
Meeting presentations:
- Framing Software Component Transparency
- Use Cases and State of Practice
- Survey of Existing SBOM Formats and Standards
- Healthcare Proof of Concept Report
Meeting date: September 5, 2019
- Tentative Agenda for September 5 Meeting
- Initial List of Potential Next Steps
- Webcast Archive
- Notes from Stakeholder Discussion on Next Steps
Drafts for review and discussion
- Framing Software Component Transparency
- Roles and Benefits for SBOM Across the Supply Chain
- Survey of Existing SBOM Formats and Standards
- Healthcare Proof of Concept Report
Meeting date: June 27
- June 27 Meeting Agenda
- Framing WG: Framing Software Component Transparency
- Use Cases WG: SBoM Roles and Benefits
- Formats WG: Draft White Paper
- Healthcare PoC: Read-ahead Summary of PoC Exercise
- Framing WG Presentation
- Use Cases WG Presentation
- Formats WG Presentation
- Healthcare PoC Presentation
- Notes from June 27 Virtual Meeting
- Survey of Existing SBOM Formats and Standards
Meeting Date: April 11, 2019
Meeting Documents:
- Framing Working Group Problem Statement
- Framing Working Group Terms and Definitions Draft
- Framing Working Group Presentation
- Current Practices and Use Cases Working Group Presentation
- Standards and Formats Working Group Draft White Paper
- Standards and Formats Working Group Presentation
- Healthcare Proof of Concept Presentation
Meeting Date: February 20, 2019
- 02/20/2019 Meeting Agenda
- Documents discussed:
- Presentations:
Meeting Date: November 6, 2018
- 11/06/18 Meeting on Promoting Software Component Transparency Webcast Archive
- 11/06/2018 Meeting Agenda
- Federal Register Notice
- Notes from stakeholder discussions
- Documents discussed:
- The “Understanding the Problem” group’s draft high level guidance,
- An illustration from the Use Case group’s approach to documenting how SBOM data is used, and
- A one page overview of the Healthcare group’s Proof of Concept project.
NTIA Multistakeholder Process on Software Component Transparency progress update - October 1, 2018
At the July 19 kickoff meeting, several working groups were proposed. Information on those working groups is below. To participate, please email afriedman@ntia.doc.gov.
Understanding the Problem
Goal is to scope out the idea of software transparency and the problems it seeks to solve, including how SBOM data might be shared. Outputs might include useful terminology, issues and explicit decisions to address, and implementation guides.
Use Cases and State of Practice
Will focus on identifying use cases, current and possible future, where SW Bill of Materials or similar data is used to achieve various goals. Through review of the current state of practice, we will develop outputs that identify what works today and what are barriers to success.
Standards and Formats
Will investigate existing standards and initiatives as they apply to identifying the external components and shared libraries, commercial or open source, used in the construction of software products. The group will analyze efforts underway in the community and industry related to assuring this transparency is readily available in a machine-readable manner.
Healthcare Proof of Concept
This will be a collaborative effort between healthcare delivery organizations and medical device manufacturers to establish a prototype SBOM format and exercise use cases for SBOM production and consumption. The goal is to demonstrate successful use of SBOMs and relate to the overall cross-sector effort to establish standardized formats and processes.
Meeting Date: July 19, 2018
- 07/19/18 Meeting Agenda
- 07/19/18 Meeting Webcast Archive
- Notes from stakeholder discussions
- Presentations from the Perspective Sharing session
- Art Manion, Senior Vulnerability Analyst, CERT/CC
- Bruce Lowenthal, Senior Director, Oracle Security Alerts Group
- Jim Jacobson, Chief Product Security Officer, Siemens Healthineers
- Chris Wysopal, Chief Technology Officer, CA Veracode
- Josh Corman, Chief Security Officer, PTC
- Jennings Aske, VP & CISO, New York Presbyterian
NTIA’s next cybersecurity multi-stakeholder process will focus on Software Component Transparency. Participants will explore how manufacturers and vendors can communicate useful and actionable information about the third-party software components that comprise modern software and IoT devices, and how this data can be used by enterprises to foster better security decisions and practices. The first meeting, to be held on July 19, 2018, is intended to bring stakeholders together to share the range of views on software and IoT component transparency, and to establish desired stakeholder outcomes and a structure for this process. The goal of this initiative is to foster a market offering greater transparency to organizations, who can then integrate this data into their risk management approach.
For more information, or to receive updates about this initiative, please contact afriedman@ntia.doc.gov.
Background:
Since 2015, the National Telecommunications and Information Administration has sought public comment on several matters around cybersecurity, the Internet of Things, and the health of the digital ecosystem. Several themes emerged from these three public consultations. Many stakeholders emphasized the importance of community-led, consensus-driven, and risk-based solutions to address cybersecurity challenges, highlighting the role NTIA should play in convening multistakeholder processes. In the digital ecosystem, particular challenges were identified: understanding and handling vulnerability information, addressing the insecurities in the growing IoT marketplace, and fostering a secure development lifecycle. NTIA has convened two multistakeholder processes to address these challenges, one on vulnerability disclosure and another on IoT security updates.
Additional Information:
The Federal Register Notice announcing the first meeting and providing further background and detail
Assistant Secretary David Redl's blog post “NTIA Launches Initiative to Improve Software Component Transparency”
A report by the U.S. Department of Commerce and the U.S. Department of Homeland Security, “Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats”
Information about NTIA’s multistakeholder process on IoT security upgradability and patching: https://www.ntia.doc.gov/other-publication/2016/multistakeholder-process-iot-security
Information about NTIA’s multistakeholder process on vulnerability disclosure: https://www.ntia.doc.gov/other-publication/2016/multistakeholder-process-cybersecurity-vulnerabilities