Profile Applicability:
Level 1

Description:
All third-party software suppliers must provide a comprehensive Software Bill of Materials (SBOM) detailing the components, libraries, and dependencies included in their software deliverables. This requirement ensures transparency into the software supply chain and enables better risk assessment and management.

Rationale:
Requiring an SBOM from suppliers improves supply chain security by allowing organizations to identify vulnerable or unapproved components. It supports compliance with industry standards and regulations and facilitates efficient vulnerability management and incident response.

Impact:
Pros:

  • Enhances transparency and control over third-party software components.

  • Facilitates vulnerability tracking and remediation.

  • Supports regulatory and contractual compliance.

  • Improves overall software supply chain risk management.

Cons:

  • May increase supplier onboarding complexity.

  • Requires processes to validate and manage SBOM data.

Default value:
Not all organizations currently require SBOMs from third-party software suppliers, increasing supply chain risks.

Audit:
Verify contractual agreements and procurement records include SBOM requirements. Review received SBOMs for completeness and validity.

Remediation:
Update supplier contracts and procurement policies to mandate SBOM submission. Establish procedures to validate and integrate SBOMs into security and compliance workflows. Educate procurement and vendor management teams.

References:

  1. NTIA Software Component Transparency: https://www.ntia.gov/SBOM

  2. SPDX Specification: https://spdx.dev/specifications/

  3. CIS Controls v8, Control 4 - Secure Configuration of Enterprise Assets and Software: https://www.cisecurity.org/controls/secure-configuration-of-enterprise-assets-and-software/