The President’s recent cybersecurity Executive Order (14028) directed the Department of Commerce, in coordination with the National Telecommunications and Information Administration (NTIA), to publish the “minimum elements” for a Software Bill of Materials (SBOM). See: .The Minimum Elements For a Software Bill of Materials (SBOM) This report builds on the work of NTIA’s SBOM multistakeholder process, as well as the responses to a request for comments issued in June, 2021, and extensive consultation with other Federal experts.
An SBOM is a formal record containing the details and supply chain relationships of various components used in building software. In addition to establishing minimum elements, this report defines the scope of how to think about minimum elements, describes SBOM use cases for greater transparency in the software supply chain, and lays out options for future evolution
The minimum elements as defined in the report are the essential pieces that support basic SBOM functionality and will serve as the foundation for an evolving approach to software transparency. These minimum elements comprise three broad, interrelated areas.
- Data Fields: Documenting baseline information about each component that should be tracked
- Automation Support: Allowing for scaling across the software ecosystem through automatic generation and machine-readability
- Practices and Processes: Defining the operations of SBOM requests, generation and use
SBOM minimum elements will enable basic use cases, such as management of vulnerabilities, software inventory, and licenses. The report also looks at recommended SBOM features and advances that go beyond the minimum elements, including key security features and tracking more detailed supply chain data.