SBOM-a-RAMA ’23 : Key Updates

SBOM-a-RAMA was hosted by CISA with participation from FDA, NTIA in the US, European Commission from the EU, and METI from Japan.
June 18, 2023

Software Bill of Materials (SBOM) is transforming how software compliance and security risks are described, organized, shared, and monitored. For nearly a decade, SBOM has existed in some form for limited use cases. Therefore, when, in 2017, NTIA went out to find a method for creating software transparency, it met an eager and visionary community around SBOM.

This week, the community of original SBOM practitioners met newer SBOM adopters live and virtually at the CISA-organized event — SBOM-a-RAMA. This was a day of sharing updates, success stories, challenges, and crafting a path ahead. The event was hosted by indefatigable Dr. Allan Friedman — senior advisor at CISA.

On the regulatory side, SBOM-a-RAMA was hosted by CISA with participation from FDA, NTIA in the US, European Commission from the EU, and METI from Japan.

On the commercial side, the event had representation from Google, Amazon, Microsoft, SAP, Oracle, ServiceNow, VMWare, Hitachi, AT&T, Medtronic, and NY-Presbyterian Hospital, among others. Of course, Intelrynk founders were there in person, and we live twitted some fun facts from the event here.

Key Learnings:

  • EU Cyber Resiliance Act (CRA) is in the committee vote right now. CRA is likely to use an international format for SBOM requirements.
  • CRA is likely to empower “market surveillance authorities” to require SBOM but not likely to require making SBOM public.
  • METI’s SBOM evaluation is ongoing, and any final recommendation is likely to go into effect in 2024.
  • Auto-ISAC has a members-only committee on SBOM, and therefore not all of the information can be shared. However, 1.5 trillion dollars worth of enterprise value is represented in that group.
  • SBOM Cloud Adoption working group will recommend SaaSBOM include a “Bill of Services” (3rd party-dependent APIs and services — this is possible with CycloneDX only).
  • CISA to look for a way to mix M-22–18 compliance (self-attestation) with SBOM compliance.
  • In success stories, one participant shared that their Board member training programs included training on SBOM requirements. Another participant shared that the SBOM review is part of their company’s board agenda.
  • Representatives from Medical Device Manufacturers seem unclear about how to disclose vulnerabilities. One organization shared that they see SBOM in “Microsoft Word” documents and therefore are struggling with it. FDA guidance is still pending, while the deadline is October 1st.
  • CISA mentioned a couple of big vendor announcements are coming up “soon” and are likely to accelerate SBOM consumption and adoption. These are massive public companies. No details.

All slides are likely to get shared in the next few days at CISA’s site.