Celebrating 5 years of NTIA’s SBOM work

A few months ago, I sent out an illusive tweet about an upcoming birthday for a supply chain security project. That anniversary was for distroless images, but the tweet prompted several responses from other projects highlighting their upcoming milestone-aversarys, including the five year anniversary of the National Telecommunications and Information Administration's (NTIA) official Software Bill of Materials (SBOMs) work.

SBOMs, an ingredients list of what is in a piece of software, have become a cornerstone of the software supply chain security conversation. Today, we’re excited to celebrate how far SBOMs have come and the work that still needs to be done to ensure SBOMs live up to their promise. ‍

Understanding the history of SBOMs

‍On June 7, 2018, the NTIA created an SBOM initiative, emphasizing the need for transparency and security in software development and distribution.‍

And in 2019, the NTIA convened a multi-stakeholder group, consisting of industry leaders, security experts, and government representatives, to develop guidelines and best practices for implementing SBOMs effectively. This collaborative effort resulted in the release of the "NTIA Software Component Transparency" report, laying the foundation for the adoption and standardization of SBOMs as we know them today.‍

We caught up with Allan Friedman, Senior Advisor and Strategist at DHS CISA and previous Director of Cybersecurity Initiatives at NTIA, where he led the pioneering work on SBOM, to ask him about his thoughts on where SBOM started and where it is today:‍

“The US government didn’t invent the idea of SBOM, but I think we helped catalyze the movement towards greater transparency in our supply chains by bringing together a diverse community of experts. The actual work has been done by an international group of dedicated volunteers, collaborating across sectors, technologies, and businesses, making sure that our solutions work for everyone. It’s gratifying to see how much progress has been made. CISA is excited to continue to be a common gathering point and facilitator to continue progress.”

‍Since their inception, SBOMs, more than any other software supply chain security concept or technology, have captured the attention of software producers and consumers interested in software transparency. At their core, SBOMs promise faster vulnerability response by providing information about what’s in a piece of software. Some industry groups are now pushing to implement SBOMs everywhere, but there is a big difference between tomorrow’s SBOM promise and today’s SBOM reality.‍

State of SBOM quality

‍To monitor SBOMs’ adoption Chainguard Labs conducted several studies to assess the quality and effectiveness of SBOMs in enhancing software security. Their research focused on the following key areas:

• SBOM Completeness:

  Chainguard Labs examined the degree to which SBOMs generated by a range of tools contain baseline information associated with the so-called NTIA minimum elements. Only one percent of analyzed SBOMs conformed with the NTIA minimum elements, largely due to the fact that most SBOMs lack specified suppliers for their components.

• SBOM Accuracy:

  The accuracy of SBOMs plays a crucial role in enabling organizations to identify and remediate vulnerabilities effectively. To evaluate the ability of SBOMs to accurately represent underlying software, Chainguard Labs conducted in-depth analysis of package manager metadata in popular container images. Their research found that popular open source containers are, on average, composed of 63% software dark matter — software that is untracked by package manager metadata and, hence, unlikely to be recorded in a SBOM.

‍These findings point to current shortfalls in SBOM tooling and suggest avenues for future improvement.‍

Future of SBOMs

‍Chainguard Labs' research on SBOM quality has significantly contributed to advancing the understanding and implementation of SBOMs in the industry. The findings have been instrumental in shaping best practices and guidelines for generating reliable and actionable SBOMs, reinforcing software security across the entire supply chain.‍

Looking ahead, SBOMs are poised to become an integral part of industry-wide software security practices. Their adoption is gaining momentum globally, with governments, regulatory bodies, and industry leaders recognizing their importance in mitigating supply chain risks. Chainguard remains at the forefront of this movement, driving innovation, and offering cutting-edge solutions to enhance SBOM quality and promote secure software development.‍

Chainguard was recently awarded an opportunity by the Department of Homeland Security Science and Technology Directorate (DHS S&T) to join its new startup cohort focused on strengthening software supply chain visibility tools, including SBOM. The cohort is designed to empower disruptors that are developing innovative solutions to address the growing risks associated with software supply chain attacks.‍

As part of the contract, Chainguard will contribute to an open source SBOM formation translation tool alongside the other selected startups and also develop an SBOM composition tool that will allow for the integration of SBOMs regardless of format.‍‍

As we celebrate the five year anniversary of NTIA’s SBOM work, it is important to reflect on where we have been and look ahead to where we are going. SBOMs have a pivotal role to play in ensuring software security and strengthening supply chains. We are committed to working with partners across government and industry to safeguard our digital infrastructure and foster trust and resilience in the software ecosystem we all rely on. ‍

We look forward to participating in next week’s SBOM-a-Rama event hosted by CISA on June 14, 2023, to support the advancement of SBOM technologies and practices. If you have questions about implementing and using SBOMs or VEX, reach out today and our team will be happy to assist you.