The software bill of materials (SBOM) is on its way to being recognized as a key security document and the primary enabler of software transparency across all industries. In healthcare, FDA (US Food and Drug Administration) included the SBOM in the first draft of their Premarket Guidance in 2018, but they referred to it as a CBOM (Cybersecurity Bill of Materials). Today, SBOM, which is a detailed list of software components found in a product or system, has become the more accepted terminology.
As more cybersecurity breaches are announced, almost daily it seems, business leaders, industry experts, and regulatory agencies are looking to SBOM as an important element of a sound cybersecurity strategy. The SBOM is gaining so much momentum, that some have found it necessary to caution that the SBOM won’t solve all security woes, and that it is just one piece of the larger cybersecurity puzzle, albeit an important piece.
SBOM references have appeared across a wide variety of security-based content, including the recent news of an imminent Biden administration executive order. The order aims at strengthening the nation’s security posture and includes reference to the SBOM. From a regulatory perspective, FDA has prioritized the 2021 release of the final version their Premarket Guidance, mentioned above, which recommends that medical device manufacturers provide an SBOM with their products. In other SBOM news, Tag Cyber’s 2021 Security Annual – 2nd Quarter, includes an article titled “The Time Has Arrived for Software Bill of Materials”. The article includes a reference to the important SBOM work currently happening at the National Telecommunications and Information Administration (NTIA) under Allan Friedman.
When it comes to protecting software-based products and systems, it seems almost common sense that a lack of visibility into software components utilized in the product or system is a massive impediment. So, on one hand, the SBOM should seem inevitable and key security document. On the other hand, some industries are slow to change and adapt and only do so with the appropriate motivation. Unfortunately, or fortunately for the SBOM, the recent spate of cybersecurity attacks is providing that motivation.
