CESER Partners with CISA to Release New Framework for Software Bill of Materials Sharing

On April 19, 2023, the U.S. Department of Energy Office of Cybersecurity, Energy Security, and Emergency Response (CESER) and the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) jointly released a proposed framework to guide software developers and users seeking to share a software bill of materials (SBOM). In a new publication, entitled “Software Bill of Materials Sharing Lifecycle Report,” the two agencies suggest that the SBOM sharing ecosystem would be well-served by a greater diversity of sharing solutions to meet the needs of unique users and their use cases. 

Just as a bill of materials lists the component parts of a physical piece of equipment or a product, a software bill of materials catalogues the code and contents of a particular application or program. SBOMs typically include detailed information on the origins of specific elements of software, making them an invaluable tool in the evaluation and mitigation of cybersecurity risks.  

The SBOM Sharing Lifecyle Report closely examines the current state of SBOM sharing and defines the sharing lifecycle as a series of three distinct phases: Discovery, Access, and Transport. The report then layers a sophistication framework over the three lifecycle phases, further specifying how an SBOM might be located, accessed, and shared by various stakeholders. 

The continued advancement of software bill of materials sharing is imperative for the security and resilience of the U.S. energy sector. The new report provides invaluable information and guidance for software developers, IT professionals, and end-users working in and serving the energy sector as they seek to identify and address cyber vulnerabilities, and to collaborate effectively while doing so. 

Enabling the sharing of SBOMs and products that may result from their use, such as Vulnerability Exploitability eXchange documents, will require an increase in automation and interoperability within the three lifecycle phases. Recognizing the costs and time associated with the implementation of highly sophisticated sharing solutions such as delegated authentication and access controls, the report suggests greater customization and diversification of sharing solutions, creating more opportunity for users with varying needs to interact with SBOMs throughout their lifecycle, and to enrich the products as appropriate. 

The Software Bill of Materials Sharing Lifecycle Report was developed in connection with the Energy Sector Software Bill of Materials Proof of Concept effort, a partnership between CESER and CISA to develop and explore the applications of SBOMs within energy sector environments. For more information on the partnership and the ongoing work, please click here