[Federal Register Volume 89, Number 98 (Monday, May 20, 2024)]
[Notices]
[Pages 43867-43868]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-10922]



[[Page 43867]]

-----------------------------------------------------------------------

DEPARTMENT OF HOMELAND SECURITY


Fall 2024 Cybersecurity and Infrastructure Security Agency SBOM-
a-Rama; Meeting

AGENCY: Cybersecurity and Infrastructure Security Agency (CISA), 
Department of Homeland Security (DHS).

ACTION: Announcement of public event.

-----------------------------------------------------------------------

SUMMARY: CISA will facilitate a public event to build on existing 
community-led work around Software Bill of Materials (SBOM) on specific 
SBOM topics. The first goal of this two-day event is to help the 
broader software and security community understand the current state of 
SBOM. Secondly, this event will foster discussion between organizations 
interested in exploring SBOM automation solutions and those focusing on 
open source and proprietary tools.

DATES: Wednesday September 11, 2024 from 11:00 a.m. to 6:00 p.m., 
Eastern Daylight Time, or 9:00 a.m. to 4:00 p.m., Mountain Daylight 
Time and Thursday September 12, 2024 from 10:00 a.m. to 1:30 p.m., 
Eastern Daylight Time, or 8:00 a.m. to 11:30 a.m., Mountain Daylight 
Time.

ADDRESSES: The event will be a hybrid event held at the Denver Athletic 
Club, 1325 Glenarm Place, Denver CO 80204, as well as virtually, with 
connection information and dial-in information available at https://www.cisa.gov/news-events/events/sbom-rama-fall-2024. A form to allow 
individuals to register their interest in either in-person or virtual 
participation will be available at https://www.cisa.gov/news-events/events/sbom-rama-fall-2024. See the ``Participation in the SBOM-a-
Rama'' section in the SUPPLEMENTARY INFORMATION caption for more 
information on how to participate.

FOR FURTHER INFORMATION CONTACT: Allan Friedman, (202) 961-4349, Email: 
[email protected].

SUPPLEMENTARY INFORMATION: An SBOM has been identified by the 
cybersecurity community as a key aspect of modern cybersecurity, 
including software security and supply chain security. Executive Order 
(E.O.) 14028 declares that ``the trust we place in our digital 
infrastructure should be proportional to how trustworthy and 
transparent that infrastructure is, and to the consequences we will 
incur if that trust is misplaced.'' \1\ SBOMs play a key role in 
providing this transparency.
---------------------------------------------------------------------------

    \1\ E.O. 14028, Improving the Nation's Cybersecurity, 1, 86 FR 
26633 (May 17, 2021).
---------------------------------------------------------------------------

    E.O. 14028 defines SBOM as ``a formal record containing the details 
and supply chain relationships of various components used in building 
software.'' \2\ The E.O. further notes that ``. . .software developers 
and vendors often create products by assembling existing open source 
and commercial software components. The SBOM enumerates these 
components in a product.'' \3\ Transparency from SBOMs aids multiple 
parties across the software lifecycle, including software developers, 
purchasers, and operators.\4\ Recognizing the importance of SBOMs in 
transparency and security, and that SBOM evolution and refinement is 
likely to be most effective coming from the community; CISA is 
facilitating a public event which is intended to advance the software 
and security communities' understanding of SBOM creation, use, and 
implementation across the broader technology ecosystem.
---------------------------------------------------------------------------

    \2\ Id. at 10(j), 86 FR 26633 at 26646 (May 17, 2021).
    \3\ Ibid.
    \4\ Ibid.
---------------------------------------------------------------------------

I. SBOM Background

    The idea of an SBOM is not novel.\5\ It has been discussed and 
explored in the software industry for years, building on industrial and 
supply chain innovations.\6\ Academics identified the potential value 
of a ``software bill of materials'' as far back as 1995,\7\ and 
tracking use of third-party code is a longstanding software best 
practice.\8\
---------------------------------------------------------------------------

    \5\ A brief summary of the history of a software bill of 
materials can be found in Carmody, S., Coravos, A., Fahs, G. et al. 
Building resilient medical technology supply chains with a software 
bill of materials. npj Digit. Med. 4, 34 (2021). https://doi.org/10.1038/s41746-021-00403-w.
    \6\ See ``Toyota Supply Chain Management: A Strategic Approach 
to Toyota's Renowned System'' by Ananth V. Iyer, Sridhar Seshadri, 
and Roy Vasher--a work about Edwards Deming's Supply Chain 
Management https://books.google.com/books/about/Toyota_Supply_Chain_Management_A_Strateg.html?id=JY5wqdelrg8C
    \7\ Leblang D.B., Levine P.H., Software configuration 
management: Why is it needed and what should it do? In: Estublier J. 
(eds) Software Configuration Management Lecture Notes in Computer 
Science, vol. 1005, Springer, Berlin, Heidelberg (1995).
    \8\ The Software Assurance Forum for Excellence in Code 
(SAFECode), an industry consortium, has released a report on third 
party components that cites a range of standards. Managing Security 
Risks Inherent in the Use of Third-party Components, SAFECode (May 
2017), available at https://www.safecode.org/wp-content/uploads/2017/05/SAFECode_TPC_Whitepaper.pdf.
---------------------------------------------------------------------------

    Still, SBOM generation and sharing across the software supply chain 
was not seen as a commonly accepted practice in modern software. In 
2018, the National Telecommunications and Information Administration 
(NTIA) convened the first multistakeholder process to promote software 
component transparency.\9\ Over the subsequent three years, this 
stakeholder community developed guidance to help foster the idea of 
SBOM, including high-level overviews, initial advice on implementation, 
and technical resources.\10\ When the NTIA-initiated multistakeholder 
process concluded, NTIA noted ``what was an obscure idea became a key 
part of the global agenda around securing software supply chains.'' 
\11\ In July 2022, CISA facilitated eight public listening sessions 
around four open topics (two for each topic): Cloud & Online 
Applications, Sharing & Exchanging SBOMs, Tooling & Implementation, and 
On-ramps & Adoption.\12\ These public listening sessions resulted in 
the formation of four public, community-led workstreams around each of 
the four topics. These groups have been convening on a weekly basis 
since August 2022. More information can be found at https://cisa.gov/SBOM.
---------------------------------------------------------------------------

    \9\ National Telecommunications and Information Administration 
(NTIA), Notice of Open Meeting, 83 FR 26434 (June 7, 2018).
    \10\ Ntia.gov/SBOM.
    \11\ NTIA, Marking the Conclusion of NTIA's SBOM Process (Feb. 
9, 2022), https://www.ntia.doc.gov/blog/2022/marking-conclusion-ntia-s-sbom-process.
    \12\ Public Listening Sessions on Advancing SBOM Technology, 
Processes, and Practices, https://www.federalregister.gov/documents/2022/06/01/2022-11733/public-listening-sessions-on-advancing-sbom-technology-processes-and-practices.
---------------------------------------------------------------------------

    CISA believes that the concept of SBOM and its implementation would 
benefit from further refinement, and that a broad-based community 
effort can help scale and operationalize SBOM implementation. To 
support such a community effort to advance SBOM technologies, 
processes, and practices, CISA facilitated the 2023 CISA SBOM-a-Rama 
and the Winter 2024 SBOM-a-Rama. These events reach a broader, 
international audience, and allow the exchange of information and ideas 
from more perspectives. The Fall 2024 SBOM-a-Rama will build on the 
previous events to offer updates as well as present new discussion 
topics for consideration by the community.

II. Topics for CISA SBOM-a-Rama

    The goal of this event is to help the broader software and security 
community understand the current state of SBOM and what efforts have 
been made by different parts of the SBOM community, including CISA-
facilitated, community-led work and other activity from sectors and 
governments. Attendees are invited to ask questions, share comments, 
and raise further issues

[[Page 43868]]

that need attention. CISA will also facilitate conversations on how the 
community can most efficiently make progress in addressing gaps in the 
SBOM ecosystem. One key focus of this event will be the need for tools 
to automate SBOM creation, management, and consumption.
    A full agenda will be posted in advance of the meeting at https://www.cisa.gov/news-events/events/sbom-rama-fall-2024.

III. Participation in the SBOM-a-Rama

    This event is open to the public. CISA welcomes participation from 
anyone interested in learning about the current state of SBOM practice 
and implementation including private sector practitioners, policy 
experts, academics, and representatives from non-U.S. organizations. 
Additional information, including the meeting link, will be available 
one week before the meeting date at https://www.cisa.gov/SBOM.
    This notice is issued under the authority of 6 U.S.C. 652(c)(10)-
(11) and 6 U.S.C. 659(c)(4).

Eric Goldstein,
Executive Assistant Director for Cybersecurity, Cybersecurity and 
Infrastructure Security Agency, Department of Homeland Security.
[FR Doc. 2024-10922 Filed 5-17-24; 8:45 am]
BILLING CODE 9111-LF-P