Software Bill of Materials update suggests rising regulatory requirements

Key points

• The US government has released updated guidance to help organisations manage software supply chain security risks.

• The publication of new technical guidance suggests that software supply chain management will come under increasing government scrutiny in the US.

• This scrutiny is being driven by enhanced geopolitical competition over technology and the weaponisation of supply chains for sabotage.

• The UK’s cyber security authority is ambivalent about the value of SBOM, but the direction of travel in the US suggests that UK companies will come under increasing pressure to comply with US SBOM requirements within the five-year timeframe.

• This pressure will be felt especially in the aerospace and defence sectors, given the importance of operational resilience in those sectors and the elevated risk of adversary targeting. 

Background

On 15 October 2024, the US Cybersecurity and Infrastructure Security Agency (CISA) published the most recent update of its guidance for organisations developing a Software Bill of Materials (SBOM). 

SBOMs are a response to the challenge posed by complex and pernicious dependencies present within software and software supply chains. The guidance describes an SBOM as a “formal, machine-readable inventory of software Components and Dependencies, information about those Components, and their relationships”. 

Tracing the bundles of dependencies within any one software package can be a challenging task - SBOM are intended to address this challenge in a way that can be generalised across very different sectors and use cases. SBOM are designed to be machine readable, allowing a company to rapidly and authoritatively determine any dependences in the event of an incident. 

Software supply chain security

The challenge of software supply chain security emerges from fundamental characteristics of the software ecosystem. Modern software development depends on the use and re-use of code, much of which is open-source and hosted on repositories such as GitHub. As such, software rapidly develops complex bundles of dependencies, as one piece of software relies on a set of components and dependencies, which in turn will have their own components and dependencies. Given the long supply chains involved, it can be challenging for organisations to develop a timely and accurate assessment of their exposure. 

This carries substantial risk, as parts of the software ecosystem contain vulnerabilities, are no longer maintained, or are actively malicious. An example of a vulnerability might be the presence of credentials (such as passwords) hardcoded - written into - software shared on an online platform. The code in this repository might be re-used in an open-source project, which is turn incorporated within a commercial product, that is then sold on to end clients. In this way, the vulnerability can enter the digital estate of large numbers of organisations.

The potential for vulnerable or malicious code to be widely distributed in this way means that software supply chain risks have the potential to be systemic; a single issue could simultaneously affect a large part of the digital ecosystem with an impact similar to that seen in the Crowdstrike outage in July 2024. The Log4j incident is a prime example of a case where the presence of vulnerable software in the supply chain of multiple different developers created a situation where large parts of the digital ecosystem were overnight rendered susceptible to exploitation. 

Analysing the report

The report, titled ‘Framing Software Component Transparency’, contains detailed guidance for organisations using SBOM. The aspiration is for SBOMs to be applicable across the software ecosystem and scaled globally. However, this creates considerable technical challenges. The updated guidance reflects the output of ongoing technical workstreams seeking to circumvent those challenges.

The guidance states that the US government views addressing software supply chain risk as a matter of national security. This concern is driven by high-profile instances of espionage enabled by supply chain compromise. It also comes amid increased attention on supply chain security more broadly, at a time when physical supply chains are literally being weaponised. The attacks targeting the Lebanese militant group Hizbullah in September 2024 relied on supply chain compromise to deliver physical effects. Similarly, the Russian intelligence services have experimented with concealing explosive devices in international parcels with the goal of sabotaging transatlantic flights, the BBC reported in November 2024.

Direction of travel

The software ecosystem will almost certainly continue to expand in terms of size and complexity, not least as the use of generative AI leads to more code being written more quickly, by people with less understanding of the fundamentals of software development. 

In a geopolitical environment defined by increasing conflict, and where key adversaries have demonstrated a willingness to engage in increasingly reckless campaigns of sabotage, the risk of deliberate attempts to compromise key pillars of the software ecosystem is also increasing. 

This is the third edition of the SBOM guidance, indicating that CISA is committed to the development of the SBOM concept. Its publication comes at a time when the US government is applying heightened scrutiny to compliance with cybersecurity standards by organisations engaged in scientific research and technological development.

In the UK, the NCSC has evinced an ambivalent attitude towards SBOM. A September 2024 blog post stated that “NCSC recognises that SBOMs are being increasingly used in many settings”, but was careful to note that the blog was “neither an endorsement nor a rejection” of SBOM technologies. This careful stance likely reflects concern over the potential for SBOM to become a ‘tick box’ compliance matter - and potentially an expensive one - rather than a tool for achieving greater visibility into supply chains and mitigation of supply chain risk. 

Nonetheless, we assess with a high degree of confidence that in its support for SBOM the US is setting a direction of travel that will be followed by the UK and other countries. Government and regulator scrutiny in this area will be heightened in sectors relevant to geopolitical competition, with aerospace and defence likely to be most immediately affected.

How should organisations respond?

• Organisations should ensure that their institutional processes for identifying and managing risk cover supply chain risk.

• Organisations that develop software should review the updated guidance to ascertain whether they have the processes and technology necessary to produce SBOM that align with the guidance.

• All organisations should review their processes and technology for ingesting and tracking SBOM for the software running on their digital estate.

• Organisations in the aerospace and defence sector, regardless of jurisdiction, should assess now whether they are on track to deliver an SBOM management and assurance capability in line with CISA guidance within the five-year timeframe. 

• Organisations should begin to consider early on ways to manage the cost overheads associated with processing and maintaining records around SBOM and software inventory.

• A short-term focus on software supply chain risks should not detract attention from the broad range of physical and cyber risks around supply chains. 

  
  

SECURED is approved by the NPSA to provide protective security assessments for companies, research institutions, and investors. Our security practitioners help entities secure their intellectual property, build operational and financial resilience, and cultivate a positive organisational security culture. We provide research on the national security implications of emerging technologies as part of our scientific and technical intelligence assessment capability.  

If you have any questions, or to subscribe for further updates on this subject, please contact hello@secured-research.com.