NSA and Partners Release Cybersecurity Guidelines for Software Bill of Materials (SBOM) Consumption

In collaboration with the Office of the Director of National Intelligence (ODNI) and the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA) and industry partners have issued a cybersecurity technical report titled “Securing the Software Supply Chain: Recommended Practices for Software Bill of Materials Consumption.” This report offers guidance to software developers, suppliers, and customers on ensuring software integrity and security throughout its lifecycle.

Key Points:

  • Developed by the Enduring Security Framework (ESF) Software Supply Chain Working Group, the report builds on OMB’s “Enhancing the Security of the Software Supply Chain through Secure Software Development Practices.”
  • Software Bill of Materials (SBOM) is emphasized for enhancing transparency, improving patch and vulnerability management, and mitigating supply chain risks.
  • The report addresses industry best practices, focusing on SBOM consumption, lifecycle, risk scoring, and operational implementation to increase transparency in software management and provide risk information.

Industry Response: Christine Gadsby, VP Product Security at BlackBerry, commends ESF’s guidance, emphasizing the significance of an accurate, comprehensive SBOM for real-time risk-based mitigation in the software supply chain.

Background: The report responds to the rising threat of cyberattacks targeting software supply chains, emphasizing the potential weaponization of supply chains by national state adversaries.

This release aims to bolster cybersecurity practices within organizations and the broader supply chain by providing actionable recommendations for SBOM consumption and risk management.