NTIA’s ‘SBOM’ initiative releases draft playbook guide for software consumers | InsideCyberSecurity.com
John Scott
October 23, 2020
NTIA’s ‘SBOM’ initiative releases draft playbook guide for software consumers
Stakeholders from NTIA’s software transparency initiative shared their latest drafts of working group products at a meeting Thursday to help industry utilize a Software Bill of Materials, including a software consumer playbook and “Quick Start Guide” based on a healthcare proof of concept.
The playbook, developed by the initiative’s “formats and tooling” working group, breaks down how an SBOM can be used when it comes to acquisition from a supplier, coverage for software systems and software entity resolution.
“This playbook outlines workflows for the acquisition, management and use of Software Bills of Materials (SBOM) by software consumers,” the playbook says. “Software consumer is broadly defined to include commercial and non-commercial entities acquiring third party software capabilities from a supplier.”
The document also explores what happens after an SBOM is acquired, outlining two potential options for “SBOM Ingestion and Parsing.” The first scenario is to only use the SBOM for content management and the second outlines how the data from SBOMs “will feed into enterprise workflows.”
In the draft, there is a separate section on the intellectual property and confidentiality status of SBOMs, which has some critiques over its content in a comment section in the Google Doc. Kate Stewart of the Linux Foundation indicated in the draft that she is going to do “a detailed review pass” on its content.
The “Healthcare SBOM Proof of Concept” working group shared the second version of its “Quick Start Guide” at the meeting based on work on two PoCs focused on medical devices.
The guide says, “The purpose of this ‘Quick Start Guide’ is to provide interested parties, regardless of industry vertical, with information, experiences, and best practices related to a Software Component Transparency / Software Bill of Materials (SBOM) PoC exercise. This document was developed through a working collaboration of Healthcare Delivery Organizations (HDO) and Medical Device Manufacturers (MDMs), focusing on significant developments and experiences discovered during the Healthcare SBOM PoC 1.0 (completed) and with PoC 2.0 (in progress).
“It is our hope that this information can be used to support the creation, sharing, ingestion, parsing, analysis, and correlation of the Software Bill of Materials (SBOM) and to provide more visibility into the security and safety of systems and applications,” according to the draft guide.
Meeting attendees also heard from two other working groups--one focused on framing and the other on awareness and adoption.
The framing group presented on three new drafts looking into “Sharing and Exchanging SBOMs;” “Software Identification Challenge and Guidance;” and “https://insidecybersecurity.com/daily-news/(https:/www.ntia.gov/files/ntia/publications/draft_requirements_for_sharing_of_vulnerability_status_information_-_vex.pdf.”
The awareness group talked about the latest version of its FAQ defining what an SBOM is, benefits, common misconceptions and concerns, the creation, distributing and sharing, role specific questions, and the relationship between SBOM and other standards.
The next meeting of the NTIA initiative is scheduled for Jan. 13. NTIA’s Allan Friedman encouraged stakeholders to reach out with examples of how companies and organizations are using SBOMs.
Friedman said NTIA is not intending to endorse products. Instead, the agency wants to bring companies into the SBOM discussion to show how SBOMs are being valued and consumed today. - - Sara Friedman (sfri...@iwpnews.com)