Software Bill of Materials (SBOM)

Submitted by melinda on
Short Description

A structured list of the components and modules that make up a piece of software, and the supply chain relationships between them

Roles
Information System Security Officer (ISSO)
System / Business Owner
System Teams
Resource Type
General Information
Topics
Application Security
Risk Management & Reporting
Contact Name
SaaS Governance Team
Contact Email
saasg@cms.hhs.gov
Slack Channel(s)
#ispg-saas-governance
Section
Text Block

What is an SBOM?

A “Software Bill of Materials” (SBOM) is a list of all the open-source and third-party components present in a system’s code. An SBOM lists the licenses that govern the components, the versions of the components used in the code, and their patch status, which allows for quick identification of any security or license risk.

SBOMs are becoming an important part of how government agencies strengthen their software security by identifying and managing risks in the software supply chain. For federal information technology systems, SBOMs support:

Transparency - Organizations are more aware of the component parts of their software and can make better security decisions based on that knowledge.

Vulnerability tracking - Known vulnerabilities for each component can be tracked as software updates are made, resulting in a more accurate understanding of a project’s overall system risk.

Auditing - Knowing a system’s component parts and any related risks ensures that only authorized dependencies are included in a software project.

Federal guidance on SBOM

Federal authorities such as the National Telecommunications and Information Administration (NTIA) and the Cybersecurity Infrastructure Agency (CISA) provide information about the use of SBOMs and the importance of their adoption by government agencies:

Specialty Items
Header
SBOM videos from NTIA
Call-out Text

The National Telecommunications and Information Administration (NTIA) has produced a series of explainer videos about Software Bill of Materials (SBOM) that can help you understand their value and how to use them.

Call-out Link
https://www.youtube.com/watch?v=6yljBKKl8Vo&list=PLO2lqCK7WyTDpVmcHsy6R2HWftFkU…
Call-out Link Text
See the playlist
Text Block

SBOM adoption at CMS

CMS is working to align its cybersecurity strategy with federal government standards, including the Executive Order on Improving the Nation’s Cybersecurity (2021), which calls for enhanced software supply chain risk management across government agencies. Incorporating SBOMs into this overall strategy  will help CMS mitigate weaknesses in its software supply chain and prevent threats from bad actors that seek to compromise government systems.

Like all modernization efforts, the full-scale adoption and utilization of SBOMs at CMS will take some time. The effective use of SBOMs depends on their completeness and quality – as well as the tooling used to “consume” the SBOMs in order to make sense of the data they provide.

Contact

While we are determining our strategy and technology for implementing SBOMs effectively, system teams and Business Owners with questions about the secure and approved usage of SaaS products should get in touch with the CMS SaaS Governance (SaaSG) team:

Email: saasg@cms.hhs.gov

CMS Slack: #ispg-saas-governance

Related resources
Resource Title
SaaS Governance (SaaSG)
Resource Title
Executive Order on Improving the Nation’s Cybersecurity: What it means for you