Continuous Transformation Blog

SBOM Now Vital For Open Source Software On Executive Order

Written by Neil Sheppard | April 13, 2023

SBOMs will soon be required for all software purchased by the US government. Let's consider the key dates, both in the run up to the decision and soon-to-come, and look at the future of SBOM use.

Software bills of materials (SBOMs) will be required for all software used by the United States government by September 14 of this year. This sets a countdown ticking not only for all software providers to the White House, but also for software development firms around the world.

The US government's move will set the standard for government cybersecurity policy globally. This will, in turn, become an expectation for software across all industries.

Why are SBOMs becoming such a pressing issue for the US government, and why is their use soon to become standard practice?

Why are SBOMs such a crucial issue?

“During the past 12 months, 34.5% of polled executives report that their organizations' accounting and financial data were targeted by cyber adversaries.”

Deloitte Center for Controllership

The impact of cyber crime on the market is set to reach USD 10.5 trillion by 2025, according to Cybersecurity Ventures. What's more, the recent growth of artificial intelligence and machine learning means this technology could soon be used by cyber criminals to launch automated attacks on corporations, according to Forbes.

Open-source software is particularly at risk to these kind of attacks, since the publicly available code can be searched for vulnerabilities, which are liable to be found. According to Synopsys' 2023 Open Source Security and Risk Analysis (OSSRA), at least one vulnerability was found in 84% of open-source code bases.

This isn't an isolated problem, however, as the report also found that 73% of the code it examined across the aerospace, aviation, automotive, transportation, and logistics industries was open source.

“Open source was in nearly everything we examined this year; it made up the majority of the code bases across industries”

2023 OSSRA, Synopsys

Given the wide distribution of open-source software, you can see why Software bills of materials (SBOMs) have become such a crucial concern for software purchasers, such as the US government. The numbers reported by Synopsys suggest that over 60% of available software has a publicly listed security vulnerability.

What is an SBOM?

An SBOM is a list of all the software elements used to make up a piece of software, including all the open-source code. It shows you what the software is made of.

Just as an ingredients list of everything used to bake a cake will tell you if it is safe for a person with allergies to eat, an SBOM allows you to quickly see whether your software contains any vulnerabilities that come to light.

As Forbes contributor, Chuck Brooks, put it:

"SBOMS are an important way to map systems and organize to be more cyber secure. An SBOM is basically a list of ingredients that make up software components and serves as a formal record containing the details and supply chain relationships of various components used in building the software."

It also acts as a way for purchasers of software to confirm the cyber security of what they're buying and serves as a guarantee that future risks can be mitigated quickly. This is why the US government has put such a challenging timeline in place for requiring SBOMs from its vendors.

A Timeline Of US SBOM Cyber Security History

It was May 12, 2021 when the US government announced the new SBOM requirement. White House Executive Order 14028: Improving The Nation's Cybersecurity proposed new guidance on requirements for vendors, including:

"...providing a purchaser a Software Bill of Materials (SBOM) for each product directly or by publishing it on a public website"

The executive order laid out a timeline for implementation of the guidance:

  • Within 30 days of the executive order (April 12, 2021), the Secretary of Commerce would solicit input to develop guidelines for complying with the suggested standards in the order
  • Within 180 days of the executive order (November 8, 2021), the director of the National Institute of Standards and Technology (NIST) would publish the preliminary guidelines
  • Within 360 days of the executive order (May 12, 2022), the director of NIST would publish additional guidelines that included procedures for periodic review and updates

By December 13, 2022, federal agencies were to confirm a list of software that the government deemed critical, and vendors of that critical software were called on to submit documentation, including SBOMs, by June 11, 2023. By September 14, 2023 all other providers of software will need to submit documentation.

The White House National Cybersecurity Strategy

In March of this year, the US government confirmed their plan by publishing the White House National Cybersecurity Strategy, which specifically calls for the use of SBOMs in all government-used software.

US Senator Mark Warner famously said that the US government was the largest enterprise in the world. As such, you can imagine that when the largest enterprise in the world calls for SBOMs to be provided by all their software vendors, other software purchasers can't be far behind in calling for similar.

In fact, the former European Network and Information Security Agency (ENISA), which is now called the European Union Agency for Cybersecurity, is already following suit with the EU Cybersecurity Act.

Mapping SBOMs For Your Software

For SBOMs to be useful, there has to be a clear connection between the ingredients listed and the products you sell. The LeanIX Value Stream Management (VSM) platform can support you in documenting all the software components used throughout your tech stack, from service to product.

Out-of-the-box integrations and easy-to-use APIs will give you a real-time inventory of your services and the teams responsible for them. As a result, you can understand at a glance which services are dependent on a specific library, which teams are responsible, and which products use the service.