Experts Note Increasing Adoption of Software Bills of Materials

Kate Stewart, a computer scientist at the Linux Foundation involved with defining standards for software bills of materials, said that the industry is starting to make progress with the concept compared to a decade ago. She added that having access to “good quality SBOMs” and their corresponding vulnerability data could result in better usage outcomes.

According to Allan Friedman, a Department of Homeland Security scientist, defenders can more easily spot and fix vulnerabilities if SBOMs work with existing vulnerability management systems.

SBOMs detail the components of a given piece of software and their relationships with each other. They are meant to aid engineers looking for potential exploits in a program, FedScoop reported Thursday.

The practice is beginning to see adoption throughout the government. Aquia recently announced that it would implement an application programming interface for ingesting SBOMs as part of a subcontractor agreement with Noblis under an existing contract with the Centers for Medicare and Medicaid Services.

In November, a senior cybersecurity adviser with the Department of Energy called on the Cybersecurity and Infrastructure Security Agency to create a central hub for SBOMs. Earlier, a Department of State official shared plans to establish guidelines for making and storing such lists.