A software bill of materials is produced and made available to consumers of software.
Collect and safeguard detailed provenance data for each component within a software release, maintaining it in a software bill of materials (SBOM) that can be shared with software acquirers and operations teams. Protect the SBOM’s integrity to ensure accurate traceability and update it as components change over time. This enables consumers to understand the origins and dependencies of each software component, supporting secure and transparent software usage.
Establish processes to generate comprehensive SBOMs for all open-source software (OSS) components that are rebuilt as part of your software supply chain. Each SBOM should capture detailed provenance data, including the origins, dependencies, and versions of each package, ensuring alignment with auditability requirements. Maintain the integrity of the SBOMs to provide accurate traceability for software users and stakeholders, facilitating dependency management and transparency. Update SBOMs as components evolve or dependencies change, enabling organizations to assess the blast radius of potential vulnerabilities or issues. Share SBOMs securely with authorized acquirers or operators to enhance the overall security and reliability of the software supply chain.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-03-01-02-01-01 | Identify and document rebuilt OSS components | Catalog all open-source software (OSS) components you rebuild, including their versions, dependencies, and sources. | Preparation | Development teams, Security team |
| SSS-03-01-02-01-02 | Use tools to generate SBOMs | Leverage Software Bill of Materials (SBOM) generation tools to capture detailed supply chain metadata for each rebuilt package. | Development | DevOps team, Security team |
| SSS-03-01-02-01-03 | Incorporate SBOM generation into CI/CD pipelines | Automate the generation of SBOMs during the build process to ensure that every rebuilt OSS component is accompanied by its SBOM. | Development | DevOps team, Build engineers |
| SSS-03-01-02-01-04 | Store SBOMs in a central repository | Maintain a centralized repository for storing and managing SBOMs, ensuring easy access for audits, compliance, and vulnerability tracking. | Deployment | Security team, Compliance team |
| SSS-03-01-02-01-05 | Leverage SBOMs for risk assessment and audit | Use SBOMs to assess the blast radius of vulnerabilities and ensure traceability and compliance for regulatory or audit requirements. | Post-deployment | Security team, Risk management team |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1730) NIST Secure Software Development Framework (PS.3.2) S2C2F: Secure Supply Chain Consumption Framework (REB-3) |