Dear SBOM community,

Over the last few months, the five community-led workstreams on SBOM have been making progress. Below is a quick summary of the focuses, and current activities of each group.

As a reminder, CISA facilitates these open discussions, but the participants shape the agenda. These are also expressly not a forum for discussing USG policy, or offering any kind of advice to CISA.

If you would like to join any of the mailing lists, please send us a note at SBOM@....  

Please don’t hesitate to reach out if you have any questions.

allan

VEX 

Monday, 10 AM ET – 11 AM ET (email SBOM@... for calendar invite)

This workstream defines and refines the Vulnerability Exploitability eXchange (VEX) model, which allows attestations on whether a product is affected or not affected by a given vulnerability, and characterize VEX use cases and operations.

Current activities:

• A completed “Minimum Requirements for VEX” document was finalized by the working group and will be shared on the CISA SBOM page. This document will help support scalable implementations and serve to harmonize expectations.
• Next steps: continue working on VEX guidance, including sharing some options for when to issue a VEX.

Sharing & Exchanging SBOMs

Monday, 12 PM ET – 1 PM ET (email SBOM@... for calendar invite)

The Sharing and Exchanging workstream focuses on the topic of moving SBOMs and related metadata across the software supply chain. The working group discusses how to enable discovery and access, while underscoring the importance of solution interoperability.

Current activities:

• Exploring specific sharing use cases to better understand sharing requirements.
• Simple use cases around software delivery, and a customer asking for an SBOM.
• More complex use cases include (1) a multipart supply chain with varying access control and (2) an operational approach to integrate SBOM data into a network with asset management or vulnerability management.

On-Ramps & Adoption  

Tuesday, 12 PM ET – 1 PM ET (email SBOM@... for calendar invite)

The On-Ramps and Adoption workstream focuses on promoting education and awareness to help lower the costs and complexities of Adoption, allowing newer or less mature organizations to provide, request, and use SBOMs to secure and understand their organization’s risk. The goal is to meet people where they are, remove barriers, reduce friction, and accelerate adoption. The workstream may define further use cases for SBOM. The final workstream focus is to coordinate efforts across all new and existing SBOM-related workstreams to help in communications as well as help to avoid substantive overlap.

Current activities include:

• Providing explicit guidance around SBOM use for the acquisition / procurement use case.
• How to enable and support organizations asking for SBOMs.
• Updating and expanding the SBOM FAQ.

Cloud & Online Applications

Wednesday, 3 PM ET – 4 PM ET (email SBOM@... for calendar invite)

The Cloud and Online Applications workstream focuses on integrating current understanding around SBOM into the context of online applications and distributed, on-demand infrastructure. Most of the existing discussion around SBOM, particularly around SBOM use cases, has focused on on-premise software. Online, cloud-based applications comprise a large and growing segment of the software ecosystem. It will be important to integrate the current understanding of SBOM with emergent advances in cloud-native technologies to tell better stories about SBOM use cases for cloud and understand how this will be handled across organizational boundaries.

Current activities include:

• Building guidance on SBOM for SaaS providers and customers
• Exploring what transparency looks like for the broader cloud stack
• Defining a model of transparency for services to track the transitive graph of online applications’ use of third-party services

Tooling & Implementation

Thursday, 3 PM ET – 4 PM ET (email SBOM@... for calendar invite)

The Tooling and Implementation workstream focuses on opportunities and challenges for automating the SBOM ecosystem. This ecosystem will be driven by a range of accessible and constructive tools and enabling applications, both open source and proprietary. This work will potentially enhance existing SBOM data with further implementation details, encourage interoperability, and foster the advancement and efficiency of the tooling marketplace.

Current activities include:

• A completed “Types of SBOM Documents” two page overview was finalized by the working group and will be shared on the CISA SBOM page. This document delineates some differences and value between different types of SBOMs (for example,. from source, at build, etc.) that SBOM tools can generate.
• A discussion and potential guidance around how to measure and communicate the relative quality of SBOMs.
• Beginning to plan public “plugfests” to test and advance interoperability of SBOM tools.

You are receiving this email because of interest expressed in CISA’s SBOM work. To subscribe or unsubscribe, please contact SBOM@...