In 2022, an Executive Memo (Enhancing the Security of the Software Supply Chain through Secure Software Development Practices) expanded on 2021’s Executive Order 14028 (Improving the Nation’s Cybersecurity).
According to the 2022 memo, federal agencies may now require SBOMs for critical software. The memo also identified SBOMs as the preferred method for demonstrating compliance with National Institute of Standards and Technology (NIST) standards.
SBOMs are a standardized, machine-readable inventory of software components and dependencies. They’re designed to track the details and supply chain relationships of software components, their dependencies, and their hierarchical relationships.
SBOMs provide transparency into the components that make up software. When all the component “ingredients” that make up an application’s code are known, businesses can quickly identify impacted applications when one of those components is found to have a vulnerability.
Supply chain compromises, including 2019’s SolarWinds attack, created urgency around potential supply chain threats. President Biden tasked NIST with developing a plan to protect the software supply chain as a critical component of the country’s cybersecurity posture.
Today, SBOMs may be required by federal executive agencies for critical software. To comply with the recent executive order and executive memo, these SBOMs must:
Guidance by the NTIA indicates that repository integration can provide a path to automating SBOM generation and updates: “SBOM data could be created and stored in the repository of the source. … an update to the underlying source should, in turn, create a new SBOM.”
Mend SCA enables you to quickly and easily generate SBOMs that: