You are here

NTIA Releases Minimum Elements for a Software Bill of Materials

July 12, 2021 by Allan Friedman, Director of Cybersecurity Initiatives

In his Executive Order (EO) on Improving the Nation’s Cybersecurity, President Biden identified the prevention, detection, assessment and remediation of cyber incidents as a top priority of his Administration. The Commerce Department and NTIA were directed by the EO to publish the minimum elements for a Software Bill of Materials (SBOM), a key tool to help create a more transparent and secure software supply chain. As the President notes, “the trust we place in our digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is.”

An SBOM provides those who produce, purchase, and operate software with information that enhances their understanding of the supply chain. Though an SBOM won’t solve all software security problems, it offers the potential to track known newly emerged vulnerabilities and risks, and it can form a foundational data layer on which further security tools, practices, and assurances can be built.

Today, the Department of Commerce and NTIA are publishing a report on the minimum elements for an SBOM. The report builds on the work of NTIA’s SBOM multistakeholder process as well as the responses to a request for comments issued in June.

The minimum elements as defined in the report are the essential pieces that support basic SBOM functionality and will serve as the foundation for an evolving approach to software transparency. These minimum elements comprise three broad, interrelated areas.

  1. Data Fields: Documenting baseline information about each component that should be tracked
  2. Automation Support: Allowing for scaling across the software ecosystem through automatic generation and machine-readability
  3. Practices and Processes: Defining the operations of SBOM requests, generation and use

SBOM minimum elements will enable basic use cases, such as management of vulnerabilities, software inventory, and licenses. The report also looks at recommended SBOM features and advances that go beyond the minimum elements, including key security features and tracking more detailed supply chain data.

The Biden Administration has identified SBOM as a priority to drive software assurance and supply chain risk management. This report is intended to serve as a foundation for continued collaboration and public-private partnerships to refine and operationalize SBOM work.

To learn more about the potential of SBOM, please visit NTIA.gov/SBOM.