The National Security Agency and the Cybersecurity and Infrastructure Security Agency, in collaboration with cybersecurity agencies from more than a dozen countries, have released a joint guidance highlighting the importance of a software bill of materials. The publication, titled “A Shared Vision of Software Bill of Materials (SBOM) for Cybersecurity,” urges software producers, procurers and operators to adopt SBOM practices to strengthen visibility into supply chains and reduce risks, NSA said Wednesday.
Potomac Officers Club will host the 2025 Intel Summit on Oct. 2. The event brings together senior leaders from across the intelligence community to explore emerging threats, technological advances and strategic opportunities shaping national security today. Register today to secure your spot and engage with decision-makers and thought leaders driving the future of the IC.
Enhancing Supply Chain Security
An SBOM is described as a “list of ingredients” for software, documenting the components, modules and libraries used to build an application. The guidance notes that most modern software is built on open-source and proprietary elements, making it critical to increase transparency around software dependencies. By generating, analyzing and sharing SBOMs, organizations can improve vulnerability management, supply chain risk assessments, license compliance and software development practices, the guidance stated.
The document highlights how SBOMs helped organizations respond more efficiently to the 2021 Log4j vulnerability. Those with SBOM data were able to identify affected components faster, while those without had to rely on time-consuming manual checks.
Driving SBOM Adoption
The guidance aligns SBOM implementation with the Secure by Design initiative, which encourages technology manufacturers to normalize the development of products that are secure out of the box. It calls for automation in SBOM generation and integration into existing security and asset management tools to ensure effectiveness and scalability.
“Widespread adoption of SBOM will strengthen security, reduce risk, and decrease costs,” the authoring agencies said. They also warned that diverging implementations could hinder progress, stressing the need for a coordinated international approach.
The effort was developed in partnership with the Australian Cyber Security Centre; the Canadian Centre for Cyber Security; the French Cybersecurity Agency; Germany’s Federal Office for Information Security; Japan’s Ministry of Economy, Trade and Industry; Singapore’s Cyber Security Agency; South Korea’s National Intelligence Service; and more than 10 other national authorities. The European Commission’s Directorate-General for Communications Networks, Content and Technology also contributed to the guidance.
