CISA Releases Supply Chain Risk Management Hardware Bill of Materials 

The CISA has released a Hardware Bill of Materials Framework (HBOM) for Supply Chain Risk Management. The Framework was developed by the Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) Task Force.  

“The HBOM Framework offers a consistent and repeatable way for vendors and purchasers to communicate about hardware components, enabling effective risk assessment and mitigation in the supply chain. With standardized naming, comprehensive information, and clear guidance, organizations can safeguard against economic and security risks, enhancing overall resilience,” said CISA National Risk Management Center Assistant Director and ICT SCRM Task Force Co-Chair Mona Harrington.

Key components:  

  • Provides a range of potential use cases that purchasers may have for HBOMs, based on the nature of the risk the purchaser seeks to evaluate.
  • Sets forth a format that can be used to ensure consistency across HBOMs and to increase the ease with which HBOMs can be produced and used.
  • Provides a taxonomy of component/input attributes that, depending on the use for which the purchaser intends to use an HBOM

“This methodology gives organizations a useful tool to evaluate supply chain risks with a consistent and predictable structure for a variety of use cases” said John Miller, Senior Vice President of Policy and General Counsel at Information Technology Industry Council (ITI) and ICT SCRM Task Force Co-Chair.

Stephen Gates, Principal Security SME, had this to say:

   Like the SBOM initiative mentioned in the May 2021 Executive Order on Improving the Nation’s Cybersecurity, the HBOM initiative makes a great deal of sense. Knowing what hardware and software components are inside of a product should help improve security in the supply chains we all rely upon. However, another movement that seems to be gaining steam is in the area of continuous security assessments for those who supply software, hardware, parts, and components that upstream entities rely upon – especially in terms of critical infrastructure.

   “For example, software and/or hardware manufacturers who are part of a supply chain and sell components to upstream entities will soon be asked to provide proof of continuous security assessments used as an indicator of just how secure their operations really are. Meaning, if you want to sell hardware and/or software to upstream buyers, you will soon be asked to prove your levels of security, and the only way to economically do that is to perform continuous security self-assessments.

   “The yearly checkbox penetration test so many have grown accustom too won’t cut the mustard any longer. They are only a snapshot in time, they often don’t tell the whole story, and they are cost prohibitive. Organizations who supply components upstream must find affordable ways of continuously assessing themselves and providing assessment reports to their buyers. Buyers must ensure they can mitigate any risk that could be transferred to them, hence the reason for wanting proof of supplier security levels.

   “The best way to continuously assess the security of a suppliers’ operations is to employ autonomous penetration testing technologies that can continuously assess and report on the security of the suppliers’ operations at any given moment in time. This will likely become the norm and not the acceptation moving forward.”

Like the SBOM this is a good move by the CISA. Because everything that we can all do to identify threats, be they hardware or software, is worth it to reduce an organization’s attack surface. This is one initiative that I can get behind.

Leave a Reply

%d bloggers like this: