SBOMs are being recognized worldwide as an essential tool for software supply chain security, software vulnerability remediation, and license compliance. Let's consider how governments around the world are managing open-source software risk.
Software bills of materials (SBOMs) are a rising topic in discussions of software supply chain security (SSCS) across the world. With deepening concern for open-source software risk, it's clear that SBOMs will likely become a worldwide regulatory requirement.
Let's explore the conversations governments around the world are having about SBOMs, and what the future likely holds for software supply chain security regulation. We'll cover guidance being released in the USA, EU, UK, and Japan.
Software bills of materials (SBOMs) must be provided to the US government by vendors of critical applications by June 11, 2023. All other vendors need to provide security documentation including SBOMs by September 14.
These software vulnerability remediation requirements were laid out in White House Executive Order 14028: Improving The Nation's Cybersecurity, which was released on May 12, 2021. This forms part of the Biden administration's efforts to encourage software vendors to make all applications "secure by design".
It isn't surprising that this has become a priority for the White House, as the number of US entities impacted in open-source software risk more than trebled between 2021 and 2022, according to Statista. With the biggest economy in the world prioritizing software supply chain security (SSCS), it's no wonder other countries are following suit.
Software bills of materials (SBOMs) are a requirement of the proposed European Union (EU) Cyber Resilience Act. This sweeping legislation will require all software vendors to document materials used in software development with an SBOM to promote software supply chain security (SSCS), software vulnerability remediation, and license compliance.
As item 37 of the proposed bill states:
"In order to facilitate vulnerability analysis, manufacturers should identify and document components contained in the products with digital elements, including by drawing up a software bill of materials. A software bill of materials can provide those who manufacture, purchase, and operate software with information that enhances their understanding of the supply chain, which has multiple benefits, most notably it helps manufacturers and users to track known newly emerged vulnerabilities and risks. It is of particular importance for manufacturers to ensure that their products do not contain vulnerable components developed by third parties."
The Act has been criticized for potentially going too far in requiring documentation from even smaller organizations. Yet, even a reduced version of the Act will put great demands on software vendors to the EU in managing open-source software risk.
Software bills of materials (SBOMs) were mentioned in a November 2021 UK government response to a call for views on software supply chain security (SSCS). The document noted a number of industry experts were calling for a national SBOM register and related incentives for software vendors to use it.
This is, of course, far behind the EU's bold stance on software vulnerability remediation. Yet, with so many other nations calling for SBOM use, it can't be long before the UK's National Cyber Security Centre (NCSC) takes note of the growing open-source software risk.
Clear guidance from the government response to the call for views recommends working to increase industry knowledge and understanding of software supply chain security. This can only bring about a greater desire for SBOMs to become common practice.
Software bills of materials (SBOMs) are still in the early stages of consideration in Japan, but there's a clear appreciation for their value in increasing software supply chain security (SSCS). The key barrier to adoption in Japan seems to be concerns over the cost of implementation leading to a "strong resistance" from suppliers.
The Japanese Ministry of Economy, Trade, and Industry (METI) freely admits its intention to:
"...try to find the good way to utilize SBOM for increasing the effectiveness by its introduction, and the one to lead its widespread use" [sic]
Despite the challenges for Japanese adoption of SBOMs, as their use becomes more common outside of Japan, local vendors will likely need to find a way to comply with government guidelines. Managing open-source software risk and license compliance requires a cost-effective method of leveraging SBOMs.
Software bills of materials (SBOMs) are a relatively new way to enhance your software supply chain security (SSCS) by managing your open-source software risk. Worldwide adoption is in its infancy, but you can clearly see that the topic is under consideration across the globe.
Governments are recognizing software supply chain risk and the power of SBOMs for software vulnerability remediation and license compliance. While there are still some details to work out, it's clear we're on a trajectory for global SBOM adoption.
Vendors that adopt SBOMs early will gain a competitive advantage in the market as customers increasingly call for greater software supply chain security measures. Leveraging SBOMs, however, requires the right toolset.