[Federal Register Volume 87, Number 105 (Wednesday, June 1, 2022)]
[Notices]
[Pages 33192-33193]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2022-11733]


-----------------------------------------------------------------------

DEPARTMENT OF HOMELAND SECURITY


Public Listening Sessions on Advancing SBOM Technology, 
Processes, and Practices

AGENCY: Cybersecurity and Infrastructure Security Agency, DHS.

ACTION: Announcement of public listening sessions.

-----------------------------------------------------------------------

SUMMARY: The Cybersecurity and Infrastructure Security Agency will 
facilitate a series of public listening sessions to build on existing 
community-led work around Software Bill of Materials (``SBOM'') on 
specific SBOM topics.

DATES: Two listening sessions will be held for each open topic 
specified in Section II of the SUPPLEMENTARY INFORMATION caption as 
follows:
    1. Topic 1, Session 1: July 12, 2022 from 9:30 a.m. to 11 a.m., 
Eastern Daylight Time.
    2. Topic 1, Session 2: July 20, 2022 from 3:00 p.m. to 4:30 p.m., 
Eastern Daylight Time.
    3. Topic 2, Session 1: July 12, 2022 from 3:00 p.m. to 4:30 p.m., 
Eastern Daylight Time.
    4. Topic 2 Session 2: July 14, 2022 from 9:30 a.m. to 11 a.m., 
Eastern Daylight Time.
    5. Topic 3, Session 1: July 13, 2022 from 3:00 p.m. to 4:30 p.m., 
Eastern Daylight Time.
    6. Topic 3, Session 2: July 21, 2022 from 9:30 a.m. to 11 a.m., 
Eastern Daylight Time.
    7. Topic 4, Session 1: July 13, 2022 from 9:30 a.m. to 11 a.m., 
Eastern Daylight Time.
    8. Topic 4, Session 2: July 14, 2022 from 3:00 p.m. to 4:30 p.m., 
Eastern Daylight Time.

ADDRESSES: The listening sessions will be held virtually, with 
connection information and dial-in information available at https://www.cisa.gov/SBOM.

FOR FURTHER INFORMATION CONTACT: Justin Murphy, Phone: (202) 961-4350, 
email: [email protected].

SUPPLEMENTARY INFORMATION: A Software Bill of Materials (``SBOM'') has 
been identified by the cybersecurity community as a key aspect of 
modern cybersecurity, including software security and supply chain 
security. E.O. 14028 declares that ``the trust we place in our digital 
infrastructure should be proportional to how trustworthy and 
transparent that infrastructure is, and to the consequences we will 
incur if that trust is misplaced.'' \1\ SBOMs play a key role in 
providing this transparency.
---------------------------------------------------------------------------

    \1\ E.O. 14028, Improving the Nation's Cybersecurity, 1, 86 FR 
26633 (May 17, 2021).
---------------------------------------------------------------------------

    E.O. 14028 defines SBOM as ``a formal record containing the details 
and supply chain relationships of various components used in building 
software.'' \2\ The E.O. further notes that ``[s]oftware developers and 
vendors often create products by assembling existing open source and 
commercial software components. The SBOM enumerates these components in 
a product.'' \3\ Transparency from SBOMs aids multiple parties across 
the software lifecycle, including software developers, purchasers, and 
operators.\4\ Recognizing the importance of SBOMs in transparency and 
security, and that SBOM evolution and refinement should come from the 
community to maximize efficacy, the Cybersecurity and Infrastructure 
Security Agency (CISA) is facilitating listening sessions around SBOM, 
which are intended to advance the software and security communities' 
understanding of SBOM creation, use, and implementation across the 
broader technology ecosystem.
---------------------------------------------------------------------------

    \2\ Id. at 10(j), 86 FR 26633 at 26646 (May 17, 2021).
    \3\ Ibid.
    \4\ Ibid.
---------------------------------------------------------------------------

I. SBOM Background

    The idea of a software bill of materials is not novel.\5\ It has 
been discussed and explored in the software industry for many years, 
building on innovation from industrial and supply chain work.\6\ 
Academics identified the potential value of a ``software bill of 
materials'' as far back as 1995,\7\ and tracking use of

[[Page 33193]]

third-party code has been identified as a longstanding software best 
practice.\8\
---------------------------------------------------------------------------

    \5\ A brief summary of the history of a software bill of 
materials can be found in Carmody, S., Coravos, A., Fahs, G. et al. 
Building resilient medical technology supply chains with a software 
bill of materials. npj Digit. Med. 4, 34 (2021). https://doi.org/10.1038/s41746-021-00403-w.
    \6\ See ``Toyota Supply Chain Management: A Strategic Approach 
to Toyota's Renowned System'' by Ananth V. Iyer, Sridhar Seshadri, 
and Roy Vasher--a work about Edwards Deming's Supply Chain 
Management https://books.google.com/books/about/Toyota_Supply_Chain_Management_A_Strateg.html?id=JY5wqdelrg8C.
    \7\ Leblang D.B., Levine P.H., Software configuration 
management: Why is it needed and what should it do? In: Estublier J. 
(eds) Software Configuration Management Lecture Notes in Computer 
Science, vol. 1005, Springer, Berlin, Heidelberg (1995).
    \8\ The Software Assurance Forum for Excellence in Code 
(SAFECode), an industry consortium, has released a report on third 
party components that cites a range of standards. Managing Security 
Risks Inherent in the Use of Third-party Components, SAFECode (May 
2017), available at https://www.safecode.org/wp-content/uploads/2017/05/SAFECode_TPC_Whitepaper.pdf.
---------------------------------------------------------------------------

    Still, SBOM generation and sharing across the software supply chain 
was not seen as a commonly accepted practice in modern software. In 
2018, the National Telecommunication and Information Administration 
(NTIA) convened the first ``multistakeholder process'' to ``promot[e] 
software component transparency.'' \9\ Over the subsequent three years, 
this stakeholder community developed guidance to help foster the idea 
of SBOM, including high level overviews, initial advice on 
implementation, and technical resources.\10\ When the NTIA-initiated 
multistakeholder process concluded, NTIA noted that ``what was an 
obscure idea became a key part of the global agenda around securing 
software supply chains.'' \11\
---------------------------------------------------------------------------

    \9\ National Telecommunications and Information Administration 
(NTIA), Notice of Open Meeting, 83 FR. 26434 (June 7, 2018).
    \10\ Ntia.gov/SBOM.
    \11\ NTIA, Marking the Conclusion of NTIA's SBOM Process (Feb. 
9, 2022), https://www.ntia.doc.gov/blog/2022/marking-conclusion-ntia-s-sbom-process.
---------------------------------------------------------------------------

    However, CISA believes that the concept of SBOM and its 
implementation need further refinement. Work to help scale and 
operationalize SBOM implementation should continue to come from a 
broad-based community effort, rather than be dictated by any specific 
entity. To support such a community effort to advance SBOM 
technologies, processes, and practices, CISA will facilitate a series 
of listening sessions.

II. Topics for CISA Listening Sessions

    The list below represents open topics in the field of SBOM and 
related cybersecurity topics on which CISA intends to facilitate a 
series of listening sessions. This is not an exhaustive set of open 
topics identified by the community at large, but represents a set of 
open topics identified as being priorities by the community. Solutions 
related to these topics that reflect the diverse needs of the software 
community will help advance forward progress towards greater software 
transparency and a more secure ecosystem.
    Topic 1: Cloud and online applications--Much existing discussion 
around SBOM, particularly around SBOM use cases, has focused on on-
premise software. Cloud and Software-as-a-Service (SaaS)-based software 
comprises a large and growing segment of the software ecosystem. 
Potential sub-topics may include: How should the community think about 
SBOM in the context of online applications and modern infrastructure? 
How can the community integrate SBOM work into emerging cloud-native 
opportunities?
    Topic 2: Sharing and Exchanging SBOMs--Moving SBOMs and related 
metadata across the software supply chain will require understanding 
how to enable discovery and access. Potential sub-topics may include: 
How can suppliers and consumers of SBOMs share this data at scale? What 
can the community do to promote interoperability of potential 
solutions?
    Topic 3: Tools and Implementation--SBOM implementation will be 
driven by a range of accessible and constructive tools and enabling 
applications, both open source and commercial in nature. Potential sub-
topics may include: How can the community promote the SBOM tooling 
ecosystem? What is needed to drive and test interoperability and 
harmonization?
    Topic 4: On-ramps and Adoption--Broader SBOM adoption may require 
enabling resources to promote awareness and lower the costs and 
complexities of adoption. Potential sub-topics may include: What can 
the community do to make it easier and cheaper to generate and use SBOM 
data? How can the community promote this concept?

III. Process for CISA-Facilitated SBOM Community Collaboration

    For each topic, CISA will facilitate interested community members 
in two open and transparent listening sessions. CISA will act as a 
facilitator and participants will drive the outcomes, including any 
specific issues of focus or next steps. CISA will not be seeking any 
group consensus advice and/or input from the listening sessions. If 
participants wish to schedule regular meetings or build communication 
channels, CISA will assist, to the extent possible, in facilitating 
effective and constructive collaboration. CISA will not request 
specific outputs from meeting participants, nor is it currently CISA's 
intent to use information shared during listening sessions to directly 
address or inform any Federal policy decision. The participants may 
identify any further resources the global software and security 
community could use for each identified topic.
    Information shared during listening sessions may be made publicly 
available. For this reason, please do not include non-public or 
confidential information in your responses to listening session topics, 
such as sensitive personal information or proprietary information.
    Additional information regarding the listening sessions will be 
posted at https://cisa.gov/SBOM.
    This notice is issued under the authority of 6 U.S.C. 652(c)(10)-
(11), 659(c)(4), (9), (12).

Eric Goldstein,
Executive Assistant Director for Cybersecurity, Cybersecurity and 
Infrastructure Security Agency, Department of Homeland Security.
[FR Doc. 2022-11733 Filed 5-31-22; 8:45 am]
BILLING CODE 9110-9P-P