The Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) Task Force has met for the first time this calendar year, and designated work on a software bill of materials (SBOM) as one of its primary priorities for 2022, according to a Jan. 11 press release.
Talk about the need for an SBOM has picked up recently, as the idea of a software ingredient label has been touted as a way to more easily mitigate critical vulnerabilities like the Log4j vulnerability that the Cybersecurity and Infrastructure Security Agency (CISA) is currently helping agencies and organizations deal mitigate.
Additionally, the task force announced the creation of a third working group focused on the creation of a Hardware Bill of Materials and understanding what is necessary for a baseline hardware bill of materials template. The task force will also continue its Small and Medium-Sized Businesses and Product Marketing working groups.
“Given the risks facing the Nation’s supply chains, particularly around hardware and software, the work of the Task Force remains essential,” CISA Assistant Director and ICT SCRM Task Force Co-Chair Bob Kolasky said in the release.
The task force is also expanding its ranks with the addition of representatives from the Small Business Administration, the National Association of State Chief Information Officers (NASCIO), and the National Association of State Procurement Officials.
“One of our goals this year is to expand the utility of the work of the Task Force to a broader audience, Kolasky added. “As part of that, we are thrilled that representatives of key state organizations and the SBA are joining the Task Force. They will bring a fresh perspective to our work and help connect efforts with a broader community.”
Other actions the task force plans to undertake this year include promoting software assurance and expanding partnerships both internationally and to other sectors.
This is now the third year of operations for the task force, after being launched in December 2018 as a collaborative effort between CISA and the Information Technology and Communications Sector Coordinating Councils. In August, the term of the task force was extended until July 31, 2023.