SBOM repository

Cyber Official Advocates for CISA-Managed Software Inventory Hub

Amy Hamilton, a senior cybersecurity adviser at the Department of Energy, said at an FCW event on Nov. 2 that she hopes the Cybersecurity and Infrastructure Security Agency will create a central repository for software bills of materials, which are itemized program component lists. She explained that a hub would reduce the legwork for federal agencies developing SBOMs as the White House and Congress continually update guidelines.

Hamilton added that having all the lists in one place could prove useful as there will likely be overlap in what software agencies get from vendors, FCW reported Thursday.

According to Zetra Batiste, a Department of State official in charge of supply chain risk management, the government still faces several development challenges before SBOMs can begin to see wider adoption. She added the State Department is still trying to round up experts to provide guidance on storing such lists.

Several technology groups sent a joint letter in September to high-ranking members of congressional committees, warning against the premature implementation of SBOMs without a standard approach to creating, disseminating and processing them. The 2023 defense budget that passed in the House of Representatives contains a requirement for vendors to include such lists and attest that their products lack known defects.