New federal SBOM guidance unveiled

SecurityWeek reports that new guidance on open source software management and software bills of materials consumption among software vendors and suppliers has been introduced by the Cybersecurity and Infrastructure Security Agency, the National Security Agency, and the Office of the Director of National Intelligence in a bid to better protect the software supply chain. Aside from detailing SBOM processing adoption and risk evaluations for identified software flaws, the guidance also expounds on vulnerability exploitation prevention measures and new SBOM requests for updated software. Consumption of thousands of SBOMs is crucial in understanding risk exposures, while maximizing SBOMs requires automated SBOM processing and analysis, as well as SBOM data-based intelligence, according to the agencies. "Data from SBOMs feeds into many enterprise workflows, including procurement, asset management, vulnerability management, and overarching supply chain risk management and compliance functions. Therefore, the SBOM is often less useful as a file than as a collection of data that can be parsed, extracted, and loaded into automated processes," said the guidance.