The Modem Lisa Background

IT Procurement and ITAM need to join the SBOM-A-RAMA and take their place in the Software Supply Chain.


CISA held SBOM-A-RAMA 2023 on June 14, a fast-paced collection of updates and reviews of the activities surrounding the guidance and policies being written around Software Bill of Materials (SBOM) or maybe what will be called Full or Cross Stack BOM (XBOM) or Technology BOM (TBOM). IT Procurement and Technology Asset Management (ITAM) come in all shapes and sizes, which is why I was surprised so few people in these roles attended this massively informative event. Also, I was surprised the entire audience wasn’t larger, but not so shocked that the primary audience were security related professionals. It would seem the concept of Bill of Materials started with a need for procurement knowledge because you can’t make the product without the materials! But along the way IT Procurement professionals got left in the dark and have no idea what comprises the technology they buy, and often they don’t have the knowledge to even ask the right questions. One of my former leaders had a very not vegan friendly way of saying he didn’t need to “know what’s in the sausage”. During the last decade of abundant tech jobs, IT Procurement and ITAM weren’t promoted as technical positions as much as administrative and this meant in some places having technical knowledge wasn’t as important as getting data entered, purchase orders issued, budgets planned, and reports run. But in this world where companies of all sizes can be in the line of fire in cyber warfare IT Procurement and ITAM have a critical role in securing the Software Supply Chain. It’s time to step up to defend your role and company if you’re an IT Procurement or ITAM professional now, or if you’re looking for a role in securing technology, maybe these are the roles for you.

Speaking the same SBOM language.

Being the Chooser is being the Gatekeeper.

Knowing what to ask.

  • Be clear about the format you want, which will be based on how you intend to ingest the SBOM for your needs and we’ll dive into this more below.
  • What standard should the SBOM follow; SPDX and CycloneDX are both supported by the CISA/NTIA guidance.
  • Provide your own minimum elements. What the Department of Commerce and NTIA list may not be enough for your needs.
  • Include requirements for delivery, make sure you have an easy mechanism for obtaining the SBOM with each release of the software you receive. Not all producers will be providing SBOMs on their websites, though CISA is requesting inclusion in support documentation this may prove difficult or push more documentation behind logins.
  • Define repercussions for lack of delivery but avoid punishment for error. Mistakes will happen as producers are getting their footing with SBOM practices. Developers are still learning techniques for implementing SBOM and in unregulated, non-government industries a lot of these concepts are still new.

Knowing your limits.

“Agencies are not required to collect attestations from software producers for products that are proprietary but freely obtained and publicly available. Open-source software freely and directly obtained by Federal agencies is outside the scope of NIST’s guidance for agencies on software supply chain security.7 This memorandum further clarifies that no-cost, publicly available proprietary software is also out of scope for M-22-18 attestation collection.”

And the requirements are just coming into play for FDA regulated medical device software around October for software developed after Sept. 14, 2022, as the first agency. If you’re an IT Procurement or ITAM working in Medical, Energy or Automotive, this is very likely old news to you as these are the industries involved in the POCs which are forming the CISA guidance. Outside these industries, without regulations you’ll need to use other techniques to get the Producers to work with you on delivering SBOMS.

Ingesting and Actioning on SBOMs.

To know what formats and minimum fields to request from producers, IT Procurement and ITAM must have a way to read the SBOM, review the data for key information, process the information to the correct stakeholders, relate the SBOM to the rest of the technology stack, store the SBOM and update the SBOM along the software lifecycle. What tools do you already have that might read SBOMs?

In all these cases, the tool will dictate the format, standard and data fields accepted and tracked. If you’re ingesting SBOM for multiple purposes and different tools are used this can also mean incompatibility. If you’re ITAM tool is only reading SPDX and your Cyber Security tooling reads CycloneDX you may have to perform your own conversion process and when requesting SBOMs decide which is preferred to start with.

Sharing the SBOM love.

Acting on SBOM data needs to be timely. If you’re in an RFP process trying to determine the software or negotiate a purchase license and vulnerability data can be critical. Making sure the SBOM data is accessible to the Legal and Security teams can avoid a regretful purchase but who else in your organization might need access to the SBOM data? Who is managing the lifecycle of the software? Who is supporting the rest of the stack? Does your company utilize business and risk analysis teams? It’s hard to say how far SBOM data goes in any given organization so explore all the areas of your business that software will potentially impact. Often ITAM and IT Procurement has the ability to see all aspects of the business since every employee ends up a customer in some form. This is why getting SBOM data upfront in the IT Procurement process is so critical, and if you can’t at purchase, then before an ITAM onboards software or any technology asset into their environment.

Negotiating for SBOMs.

Technology negotiations are already filled with variables, and this is just another lever to pull along the way. Every organization will have to make the choice of how strict to be when asking for SBOMs and when in the process. Because many producers still see SBOMs incorrectly as a threat to their Intellectual Property, there is a lot of push back on providing them. Getting SBOMs before a purchase may be challenging since often NDA or more extensive Legal paperwork has to exist between parties before SBOMs are delivered. If you’re a regulated industry or government entity getting SBOMs will be easier than in the more commercially free businesses. When there are no hard requirements, you may need to accept the promise of Deployment SBOM when the software is installed. Use this as a point for producers to compete and like anything in the market, the process will improve to satisfy choosers. Don’t forget that you need the continual delivery of updates and a mechanism for ending your agreement if they are unable to comply.

All along the lifecycle.

Knowledge is power.

Now that you know how critical the IT Procurement and ITAM role is in the Software Supply Chain you can’t unlearn it! You should incorporate the collection, review, and dissemination of SBOMs into your technology acquisition and software lifecycle processes. Write into your technology purchase policy the requirement for Software Bill of Materials (SBOM) with any software purchase or SaaS subscription. I only touched on how on-premises software in this article, but the concepts translate with additional complicating factors as we span other technologies. Depending on the hardware and IoT purchase process, firmware will require SBOM, along with management software and hosted platforms used to support or service the hardware. Wearable technology holds many threats when we don’t know the software stack under the hood, it’s time to pop it open! With the rise of AI, advanced minds in this field should consider potential needs for data bill of materials (DBOM) and third party attribution when obtaining stock media, such as photos and videos or NFTs. I have so much more about AI, SBOM and ITAM to share in upcoming articles so keep watching!

Leave a Reply

Your email address will not be published. Required fields are marked *


Popular Posts


Subscribe now to keep reading and get access to the full archive.

Continue Reading