gears (Omelchenko/

Protecting the supply chain with a software bill of materials

One way to prevent supply chain hacks would be with a software bill of materials (SBOM), a mechanism that would allow organizations to find out if any of the software they use has been affected by a specific vulnerability.

The National Telecommunications and Information Administration is in the process of helping various industries develop SBOM, or a formal record of the details and supply chain relationships among the various components used in software. These components,  according to NTIA, can be open source or proprietary, free or paid, and the data can be widely available or access-restricted.

Currently organizations looking to find and manage vulnerabilities check the National Vulnerability Database for Common Vulnerabilities and Exposures, but without a SBOM, there’s no way to identify the components of a software package. A SBOM would give developers, buyers and users of software a way to track software dependencies across supply chains, manage vulnerabilities and anticipate emerging risks.

Creating the concept, interoperable data standards, best practices and market expectations for SBOM across industries is a massive challenge.

Licensing concerns and open source restrictions present hurdles, as do requirements for machine readability, modularity and scalability, but those obstacles can be overcome with technical and operational innovation and interoperability, according to Allan Friedman, NTIA’s director of cybersecurity initiatives.

Medical device manufacturers jumped on the SBOM train in 2018, standardizing data from specific devices that could be shared with the hospitals, which in turn use it for specific use cases,” Friedmand said at a recent FCW supply chain security workshop. “Meanwhile the manufacturers can also use this data generation process to better understand their supply chain.“

The automotive sector is likewise jumping on board so automotive suppliers and OEMs better understand what's in their software and quickly mitigate vulnerabilities.

Building on the work of the health care sector, the energy industry is planning a proof of concept in which software suppliers and users will work together to develop and test formats and procedures for production and use of SBOMs, according to a blog post by Tom Alrich, a security consultant for the power industry.

Interoperability is critical, even as various industries explore their own SBOM use cases.

“We've adopted a position of radical ecumenicism,” Friedman said. “Our interest is to help those communities work together and indeed they are.” Rather than seeing other industries as competitors, he said, “each brings different things to the table, and that's great.”

About the Author

Susan Miller is executive editor at GCN.

Over a career spent in tech media, Miller has worked in editorial, print production and online, starting on the copy desk at IDG’s ComputerWorld, moving to print production for Federal Computer Week and later helping launch websites and email newsletter delivery for FCW. After a turn at Virginia’s Center for Innovative Technology, where she worked to promote technology-based economic development, she rejoined what was to become 1105 Media in 2004, eventually managing content and production for all the company's government-focused websites. Miller shifted back to editorial in 2012, when she began working with GCN.

Miller has a BA and MA from West Chester University and did Ph.D. work in English at the University of Delaware.

Connect with Susan at [email protected] or @sjaymiller.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected