Software Bill of Materials (SBOM) Sharing Lifecycle Report
- Idaho National Laboratory (INL), Idaho Falls, ID (United States)
- Pacific Northwest National Laboratory (PNNL), Richland, WA (United States)
- US Dept. of Homeland Security (DHS), Washington, DC (United States). Cybersecurity and Infrastructure Security Agency (CISA)
As Software Bill of Materials (SBOM) adoption efforts mature, SBOM sharing continues to occur, but no single solution or set of solutions have become ubiquitous. The purpose of this report is to enumerate and describe the different parties and phases of the SBOM sharing lifecycle and assist readers in choosing suitable SBOM sharing solutions based on the amount of time, resources, subject-matter expertise, effort, and access to tooling that is available to the reader to implement a phase of the SBOM sharing lifecycle. The SBOM sharing lifecycle consists of the Discovery, Access, and Transport of an SBOM and this report details these individual phases and how an SBOM goes from author to the consumer. This report also details how potential enrichment activities may be performed on an SBOM to create a new product before or after it has been shared. The concept of a sophistication classification for SBOM sharing solutions is concurrently introduced with a focus on the inclusion or lack of certain features and effort associated with their implementation. Examples of low, medium, and high-sophistication solutions are provided; however, these examples and associated categorizations should not be seen as a qualitative judgment meant to push the reader towards a particular adoption strategy since sharing solutions are chosen based on the unique needs of the user. This report does recommend the SBOM community consider how to make current and future sharing solutions interoperable with each other as well as more automated methods to facilitate sharing and broader SBOM adoption. This report also highlights an SBOM sharing survey results obtained from interviews with stakeholders to understand the current SBOM sharing landscape. The categorized results of the survey suggest that SBOMs are currently transported directly to the receiver through email or similar informal communication mechanisms or alternatively the SBOM resides on a repository available to consumers. In addition to these transport methods, this report captures industry efforts to create private sharing solutions and services that can store and transport enrichment data and may use higher sophistication features that are cloud-based or using distributed ledger technologies.
- Research Organization:
- Idaho National Laboratory (INL), Idaho Falls, ID (United States)
- Sponsoring Organization:
- USDOE Office of Cybersecurity, Energy Security, and Emergency Response (CESER); US Department of Homeland Security (DHS). Cybersecurity and Infrastructure Security Agency (CISA)
- DOE Contract Number:
- AC07-05ID14517
- OSTI ID:
- 1969133
- Report Number(s):
- INL/RPT--23-71296-Rev000
- Country of Publication:
- United States
- Language:
- English
Similar Records
Software Bill of Materials (SBOM) Sharing Lifecycle Report Presentation
SoK: A Framework for and Analysis of Software Bill of Materials Tools
Towards Software Bill of Materials in the Nuclear Industry
Conference
·
Tue Apr 11 00:00:00 EDT 2023
·
OSTI ID:1970136
SoK: A Framework for and Analysis of Software Bill of Materials Tools
Technical Report
·
Fri Apr 01 00:00:00 EDT 2022
·
OSTI ID:2204407
Towards Software Bill of Materials in the Nuclear Industry
Technical Report
·
Thu Sep 01 00:00:00 EDT 2022
·
OSTI ID:1901825