The Cybersecurity and Infrastructure Security Agency (CISA) is holding a series of public listening sessions aimed at using a community-based effort to advance the conversation around the technologies, policies, and processes required to implement Software Bills of Materials (SBOM), according to a Federal register post published today.
CISA is planning on holding and facilitating eight public listening sessions around four topics, with two sessions per topic. The topics for the listening session are Cloud and online applications, sharing and exchanging SBOMs, tools and implementation, and on-ramps and adoption.
“Transparency from SBOMs aids multiple parties across the software lifecycle, including software developers, purchasers, and operators,” the announcement says. The sessions also reflect a recognition of the “importance of SBOMs in transparency and security, and that SBOM evolution and refinement should come from the community to maximize efficacy,” the agency said.
“CISA believes that the concept of SBOM and its implementation need further refinement,” the notice adds. “Work to help scale and operationalize SBOM implementation should continue to come from a broad-based community effort, rather than be dictated by any specific entity.”
As the notice states in its background section, the idea of an SBOM is not a novel or new one and dates to 1995. An SBOM would create a formal record of the “details and supply chain relationship” of a software’s components. Put simply, it would create something akin to a software nutrition label that would also detail what open-source and commercial software components are used in a product.
CISA renewed calls for SBOMs this year after working through the remediation of the Log4Shell vulnerability contained within the open-source Log4J Apache library. The practice has further gained steam, and CISA believes this community effort will further push the idea into the mainstream, while also getting public feedback on how to refine the process.
The sessions will run virtually from July 12 through July 21. The dial-in information for the calls will be available on CISA’s SBOM website. The dates and times of the sessions are as follows:
- Cloud and online applications, Session 1: July 12, 2022, from 9:30 a.m. – 11 a.m., EDT.
- Cloud and online applications, Session 2: July 20, 2022, from 3:00 p.m. – 4:30 p.m., EDT.
- Sharing and exchanging SBOMs, Session 1: July 12, 2022, from 3:00 p.m. – 4:30 p.m., EDT.
- Sharing and exchanging SBOMs, Session 2: July 14, 2022, from 9:30 a.m. – 11 a.m., EDT.
- Tools and implementation, Session 1: July 13, 2022, from 3:00 p.m. – 4:30 p.m., EDT.
- Tools and implementation, Session 2: July 21, 2022, from 9:30 a.m. – 11 a.m., EDT.
- On-ramps and adoption, Session 1: July 13, 2022, from 9:30 a.m. – 11 a.m., EDT.
- On-ramps and adoption, Session 2: July 14, 2022, from 3:00 p.m. – 4:30 p.m., EDT.