85:
The Cyber Supply Chain
Management and Transparency Act of 2014 was a failed piece of US legislation that proposed to require government agencies to obtain SBOMs for any new products they purchase and to obtain SBOMs for "any software, firmware, or product in use by the United States Government". The
97:
to lay down guidelines for software supply chain management, including for SBOMs. The NTIA outlines three broad categories of minimum elements of SBOMs: data fields (baseline information about each software component), automation support (the ability to generate SBOMs in machine- and human-readable
76:
for general BOM management, there are additional risks and issues in an SBOM written to a spreadsheet. It is best practice for SBOMs to be collectively stored in a repository that can be part of other automation systems and easily queried by other applications.
407:
400:
98:
formats), and practices and processes (how and when organizations should generate SBOMs). The "automation support" requirement specifies the need for "automatic generation," which is possible with the use of
464:
65:
An SBOM allows builders to make sure open-source and third-party software components are up to date and respond quickly to new vulnerabilities. Buyers and other stakeholders can use an SBOM to perform
298:
326:
522:
354:
94:
456:
493:
163:
435:
237:
187:
90:
379:
376:"H.R.5793 - 113th Congress (2013-2014): Cyber Supply Chain Management and Transparency Act of 2014 - Congress.gov - Library of Congress"
17:
291:
559:
322:
270:
514:
347:
554:
485:
549:
35:
156:
116:
431:
99:
241:
191:
216:
53:
components. It is the software analogue to the traditional manufacturing BOM, which is used as part of
66:
27:
Components, libraries, tools, and processes used to develop, build, and publish a software artifact
86:
act spurred later legislation such as "Internet of Things
Cybersecurity Improvement Act of 2017."
54:
375:
45:(SBOM) declares the inventory of components used to build a software artifact, including any
292:"Appropriate Software Security Control Types for Third Party Service and Product Providers"
50:
46:
157:"For Good Measure Counting Broken Links: A Quant's View of Software Supply Chain Security"
8:
126:
111:
34:
is the components, libraries, tools, and processes used to develop, build, and publish a
121:
89:
The US Executive Order on
Improving the Nation’s Cybersecurity of May 12, 2021 ordered
188:"[Part 2] Code, Cars, and Congress: A Time for Cyber Supply Chain Management"
262:
136:
69:
or license analysis, which can be used to evaluate and manage risk in a product.
543:
131:
73:
263:"Software Bill of Materials improves Intellectual Property management"
238:"Code, Cars, and Congress: A Time for Cyber Supply Chain Management"
432:"Cybersecurity Improvement Act of 2017: The Ghost of Congress Past"
515:"NTIA Releases Minimum Elements for a Software Bill of Materials"
486:"The Minimum Elements For a Software Bill of Materials (SBOM)"
323:"Top 10 2013-A9-Using Components with Known Vulnerabilities"
212:
401:"Internet of Things Cybersecurity Improvement Act of 2017"
457:"Executive Order on Improving the Nation's Cybersecurity"
507:
541:
449:
478:
348:"Cyber-security risks in the supply chain"
14:
542:
24:
25:
571:
525:from the original on 2022-11-22
496:from the original on 2023-06-05
467:from the original on 2021-05-15
438:from the original on 2022-12-16
424:
413:from the original on 2023-01-19
393:
382:from the original on 2022-12-16
357:from the original on 2023-06-06
329:from the original on 2019-10-06
304:from the original on 2023-01-19
273:from the original on 2018-08-25
219:from the original on 2022-11-30
169:from the original on 2022-12-17
368:
340:
315:
284:
255:
230:
205:
180:
149:
117:Software Package Data Exchange
80:
13:
1:
142:
100:Software Composition Analysis
560:Software development process
213:"Software Bill of Materials"
7:
555:Software project management
105:
72:While many companies use a
10:
576:
43:software bill of materials
18:Software bill of materials
267:Embedded Computing Design
60:
550:Supply chain management
55:supply chain management
297:. Docs.ismgcorp.com.
32:software supply chain
51:proprietary software
378:. 4 December 2014.
127:Supply chain attack
112:Reproducible builds
434:. 17 August 2017.
122:Software toolchain
162:. USENIX ;login.
102:(SCA) solutions.
36:software artifact
16:(Redirected from
567:
534:
533:
531:
530:
511:
505:
504:
502:
501:
482:
476:
475:
473:
472:
453:
447:
446:
444:
443:
428:
422:
421:
419:
418:
412:
405:
397:
391:
390:
388:
387:
372:
366:
365:
363:
362:
352:
344:
338:
337:
335:
334:
319:
313:
312:
310:
309:
303:
296:
288:
282:
281:
279:
278:
259:
253:
252:
250:
249:
240:. Archived from
234:
228:
227:
225:
224:
209:
203:
202:
200:
199:
190:. Archived from
184:
178:
177:
175:
174:
168:
161:
153:
21:
575:
574:
570:
569:
568:
566:
565:
564:
540:
539:
538:
537:
528:
526:
513:
512:
508:
499:
497:
484:
483:
479:
470:
468:
461:The White House
455:
454:
450:
441:
439:
430:
429:
425:
416:
414:
410:
403:
399:
398:
394:
385:
383:
374:
373:
369:
360:
358:
353:. Cert.gov.uk.
350:
346:
345:
341:
332:
330:
321:
320:
316:
307:
305:
301:
294:
290:
289:
285:
276:
274:
261:
260:
256:
247:
245:
236:
235:
231:
222:
220:
211:
210:
206:
197:
195:
186:
185:
181:
172:
170:
166:
159:
155:
154:
150:
145:
137:Dependency hell
108:
83:
63:
28:
23:
22:
15:
12:
11:
5:
573:
563:
562:
557:
552:
536:
535:
521:. 2021-07-12.
506:
492:. 2021-07-12.
477:
463:. 2021-05-12.
448:
423:
392:
367:
339:
314:
283:
254:
229:
204:
179:
147:
146:
144:
141:
140:
139:
134:
129:
124:
119:
114:
107:
104:
82:
79:
62:
59:
26:
9:
6:
4:
3:
2:
572:
561:
558:
556:
553:
551:
548:
547:
545:
524:
520:
516:
510:
495:
491:
487:
481:
466:
462:
458:
452:
437:
433:
427:
409:
402:
396:
381:
377:
371:
356:
349:
343:
328:
324:
318:
300:
293:
287:
272:
268:
264:
258:
244:on 2014-12-30
243:
239:
233:
218:
214:
208:
194:on 2015-06-14
193:
189:
183:
165:
158:
152:
148:
138:
135:
133:
132:Manifest file
130:
128:
125:
123:
120:
118:
115:
113:
110:
109:
103:
101:
96:
92:
87:
78:
75:
70:
68:
67:vulnerability
58:
56:
52:
48:
44:
39:
37:
33:
19:
527:. Retrieved
518:
509:
498:. Retrieved
489:
480:
469:. Retrieved
460:
451:
440:. Retrieved
426:
415:. Retrieved
395:
384:. Retrieved
370:
359:. Retrieved
342:
331:. Retrieved
317:
306:. Retrieved
286:
275:. Retrieved
266:
257:
246:. Retrieved
242:the original
232:
221:. Retrieved
215:. ntia.gov.
207:
196:. Retrieved
192:the original
182:
171:. Retrieved
151:
88:
84:
71:
64:
42:
40:
31:
29:
81:Legislation
74:spreadsheet
47:open source
544:Categories
529:2022-03-22
500:2021-12-12
471:2021-06-12
442:2020-02-26
417:2020-02-26
386:2015-06-12
361:2020-07-28
333:2015-06-12
308:2015-06-12
277:2015-06-12
248:2015-06-12
223:2021-01-25
198:2015-06-12
173:2022-07-04
143:References
523:Archived
519:NTIA.gov
494:Archived
490:NTIA.gov
465:Archived
436:Archived
408:Archived
380:Archived
355:Archived
327:Archived
299:Archived
271:Archived
217:Archived
164:Archived
106:See also
411:(PDF)
404:(PDF)
351:(PDF)
302:(PDF)
295:(PDF)
167:(PDF)
160:(PDF)
61:Usage
95:NTIA
93:and
91:NIST
49:and
546::
517:.
488:.
459:.
406:.
325:.
269:.
265:.
57:.
41:A
38:.
30:A
532:.
503:.
474:.
445:.
420:.
389:.
364:.
336:.
311:.
280:.
251:.
226:.
201:.
176:.
20:)
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.