The World Lags With SBOM Requirements, But Likely Not For Long
The US Executive Order on Improving the Nation’s Cybersecurity ignited an evolution in software supply-chain security that breaches such as the ones on SolarWinds and Colonial Pipeline fueled. Putting teeth behind the Executive Order, an Office of Management and Budget September 2022 memorandum allows agencies to request a software bill of materials (SBOM) from suppliers. This puts the United States in the leader position for software supply chain and SBOM regulation, which is a significant shift, as the US has been behind the curve on some cyber regulation, with no bill comparable to the EU’s General Data Protection Regulation at the federal level. That will not last long, though, as other geopolitical actors are waking up to the risks of the software supply chain and taking steps toward securing it. Surveying current initiatives across the world, we find the following trends:
- The EU makes a sweeping proposal. In September 2022, the European Union proposed a Cyber Resilience Act that would require manufacturers to identify components in all products — hardware or software — with digital elements by using a software bill of materials, and an audit may be necessary for some critical products. Critics of the Act say that it goes too far in requiring even small-scale open source developers to comply, perhaps restricting access to open source code in the EU. But even if the EU tailors the Act’s scope, software vendors will almost certainly still be required to comply, which includes providing an SBOM.
- The UK seeks to expand existing regulation. In November 2022, the United Kingdom made a proposal seeking responses on how to further the aim of cyber resilience by expanding the coverage of regulation currently limited to certain critical systems and expanding the set of actions that the regulation requires. While the government has not explicitly stated that it will require SBOMs from manufacturers, a main rationale of the desire for changes to regulation is supply chain security, suggesting that a push for SBOM provisions in regulation may be in the offing.
- Japan tests the waters with industry cooperation. As yet, there is no push for SBOM regulation in Japan, but the government and private industry partners are cooperating on an SBOM proof of concept, similar to what is being conducted in the US, to test the costs and benefits of SBOM implementation. The proof of concept was launched in 2021, with the goal of expanding the project rapidly over 2023 and through 2025.
Creating SBOMs isn’t just a point-in-time exercise but an ongoing continuous process to ensure the security of the software that you provide to customers. To understand what your organization should be doing, read my new report, Prepare For Regulatory Requirements On Software Bills Of Materials, or set up an inquiry with me.
(written with Danielle Chittem, research associate)