Software Bill of Materials (SBOM)
A structured list of the components and modules that make up a piece of software, and the supply chain relationships between them
- #ispg-saas-governance
What is an SBOM?
A “Software Bill of Materials” (SBOM) is a list of all the open-source and third-party components present in a system’s code. An SBOM lists the licenses that govern the components, the versions of the components used in the code, and their patch status, which allows for quick identification of any security or license risk.
SBOMs are becoming an important part of how government agencies strengthen their software security by identifying and managing risks in the software supply chain. For federal information technology systems, SBOMs support:
Transparency - Organizations are more aware of the component parts of their software and can make better security decisions based on that knowledge.
Vulnerability tracking - Known vulnerabilities for each component can be tracked as software updates are made, resulting in a more accurate understanding of a project’s overall system risk.
Auditing - Knowing a system’s component parts and any related risks ensures that only authorized dependencies are included in a software project.
Federal guidance on SBOM
Federal authorities such as the National Telecommunications and Information Administration (NTIA) and the Cybersecurity Infrastructure Agency (CISA) provide information about the use of SBOMs and the importance of their adoption by government agencies:
SBOM videos from NTIA
The National Telecommunications and Information Administration (NTIA) has produced a series of explainer videos about Software Bill of Materials (SBOM) that can help you understand their value and how to use them.
SBOM adoption at CMS
CMS is working to align its cybersecurity strategy with federal government standards, including the Executive Order on Improving the Nation’s Cybersecurity (2021), which calls for enhanced software supply chain risk management across government agencies. Incorporating SBOMs into this overall strategy will help CMS mitigate weaknesses in its software supply chain and prevent threats from bad actors that seek to compromise government systems.
Like all modernization efforts, the full-scale adoption and utilization of SBOMs at CMS will take some time. The effective use of SBOMs depends on their completeness and quality – as well as the tooling used to “consume” the SBOMs in order to make sense of the data they provide.
Contact
While we are determining our strategy and technology for implementing SBOMs effectively, system teams and Business Owners with questions about the secure and approved usage of SaaS products should get in touch with the CMS SaaS Governance (SaaSG) team:
Email: saasg@cms.hhs.gov
CMS Slack: #ispg-saas-governance
Related documents and resources
Considerations and guidelines for CMS business units wanting to use SaaS applications
Learn about the latest federal cybersecurity guidance from the White House and its application at CMS