Participants in NTIA’s software security multistakeholder effort made significant progress this year, publishing the first set of community-drafted documents to offer guidance around the practice of a software bill of materials (SBOM). The SBOM functions as a “list of ingredients” for software that can help organizations keep track of the underlying components that make up almost all software today.
We are excited that the broader community is already using these resources, and we’re looking forward to refining the concept at the technical level. During the most recent meeting in November, the community agreed to continue their work in 2020, with a focus on making transparency an easy-to-use feature of the software marketplace.
Moving forward, in four parallel work streams, stakeholders plan to:
- Further refine the concept of what an SBOM is, and tackle obstacles to broader, more scalable adoption
- Catalog existing tools that can be used to generate and use SBOM data, as well as identify gaps in what is available
- Create demonstrations and proofs-of-concept to show that transparency is possible
- Promote awareness and adoption across sectors and roles with a strategy for outreach and targeted communication messages
The overall vision is to establish a more robust supply chain for the software that runs nearly every aspect of our daily lives. A software bill of materials can help those who make software ensure that their code is built out of up-to-date and secure components, and give users a better understand what is running on their networks.
NTIA looks forward to working with stakeholders to advance this agenda in the coming year. Now is the perfect time to get involved! To join a working group or learn more about this project, visit NTIA.gov/SoftwareTransparency or email afriedman@ntia.gov.