An official website of the United States government
A .gov website belongs to an official government organization in the United States.
A lock (lock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Press Release | Nov. 9, 2023

NSA and ESF Partners Release Recommended Practices for Software Bill of Materials Consumption

FORT MEADE, Md. – The National Security Agency (NSA), Office of the Director of National Intelligence (ODNI), the Cybersecurity and Infrastructure Security Agency (CISA), and industry partners have released a cybersecurity technical report (CTR), “Securing the Software Supply Chain: Recommended Practices for Software Bill of Materials Consumption.” The guidance in this release aids software developers, suppliers, and customer stakeholders in ensuring the integrity and security of software via contractual agreements, software releases and updates, notifications, and mitigations of vulnerabilities.
 
The report was developed by the Enduring Security Framework (ESF) Software Supply Chain Working Group, an NSA, ODNI, and CISA-led a public-private cross-sector group, to provide details on recommended practices as a basis for describing, assessing, and measuring security practices relative to the software lifecycle. It builds on the “Enhancing the Security of the Software Supply Chain through Secure Software Development Practices” paper released by the Office of Management and Budget (OMB).
 
"Fundamentally, SBOM provides critical software transparency for improved patch and vulnerability management for customers as well as potentially mitigate supply chain risks," said Jorge Laurel, Chief, Enduring Security Framework. "The newest ESF release provides best practices for SBOM consumptions with the goal of increasing cybersecurity within organizations as well as the supply chain at large." 
 
The co-authors of the ESF report observe an increase in cyberattacks that highlight weaknesses within software supply chains. This in turn increases the potential for supply chains to be weaponized by national state adversaries who can access software via several means including, but not limited to, the following: exploitation of design flaws, incorporation of vulnerable third-party components into a software product, infiltration of the supplier's network with malicious code prior to the final delivery of the product, and injection of malware within the software deployed in the customer environment.
 
Following these observations, the report provides guidance in line with industry best practices and principles, including managing open source software and software bills of materials (SBOM) to maintain and provide awareness about the security of software. Specifically, the report details SBOM consumption, lifecycle, risk scoring, and operational implementation with the goal of increasing transparency in the software management cycle and giving organizations access to risk information.
 
“BlackBerry applauds ESF’s guidance on SBOM consumption," said Christine Gadsby, VP Product Security, BlackBerry. "The availability of an accurate, comprehensive view and categorization of all software components is a game-changer for security in the software supply chain, allowing for real-time and a risk-based mitigation response to supply chain vulnerabilities, particularly for an entity’s most critical assets.”

Read the full report now.
 
Read the related releases:

Visit our full library for more cybersecurity information and technical guidance.