Are You Ready to Meet the SBOM Requirements of the Cyber Resilience Act?

Whether you’re a Software Compliance Manager, DevOps Architect, Software Engineer or Legal Consultant, find out what you need to know…

Whether you’re a Software Compliance Manager, DevOps Architect, Software Engineer or Legal Consultant, find out what you need to know to protect your intellectual property from security and legal risks.

What is the Cyber Resilience Act?

The Cyber Resilience Act (CRA) is expected to be enacted in early 2024. This European Union legislation sets out to improve hardware and software product cybersecurity and transparency across the supply chain, especially for highly regulated industries such as automotive, finance, healthcare, energy and utilities. The CRA requires manufacturers to produce a software bill of materials (SBOM) to identify components in all products with digital elements. The SBOM is a report that lists all included software components, dependencies, security vulnerabilities, and usage licenses.

When will the CRA enforce the SBOM (Software Bill of Materials) requirement?

The CRA has multiple components but much of it will be enforceable three years after it passes which puts it at early 2027. As it relates to SBOMs, the following statement applies to products with digital elements (PDEs) that are commercially available in the EU:

Software Bill of Materials (SBOM): Manufacturers must identify and document product components and vulnerabilities, including by drawing up a software bill of materials (SBOM) of at least the top-level dependencies of the product [Annex I, Part II (1)]. The SBOM does not have to be made publicly available [Recital 37].

How does the CRA impact business in the USA?

While the legislation is enacted in the EU, the CRA will have major implications around the globe for software and connected device manufacturers. Similarly, the US has enacted Executive Order 14067, officially titled Ensuring Responsible Development of Digital Assets, to encourage responsible development of digital assets. Likewise, Executive Order 14067 stresses that companies must deliver an SBOM and defines it as “a formal record containing the details and supply chain relationships of various components used in building software”. The National Telecommunications and Information Administration (NTIA) has published “The Minimum Elements for a Software Bill of Materials (SBOM)”.

What should an SBOM contain?

An SBOM should provide a comprehensive inventory of software components used in building the final software product. This includes:

  • Open-source libraries and dependencies
  • Commercial/proprietary libraries and modules
  • Versions of libraries and components
  • Relationships between components
  • Security vulnerabilities
  • Licensing information

There are three common standards for SBOMs:

What makes SBOM generation challenging?

The software supply chain’s complex and decentralized nature makes accurate and efficient SBOM management difficult. Inconsistent or lack of documentation amongst third-party sources, a wide range of license types, and software composition analysis (SCA) tools that focus only on code that is declared in package manifests or cannot identify snippets of components make SBOM management particularly challenging.

The continued proliferation of open source code, use of code snippets and AI-generated code add to the complexity that requires not only more advanced SCA toolsets for scale, but also expertise in the form of open source auditors familiar with the nuances of copyright and open source license types.

How can I improve SBOM management to be ready for the CRA?

Most likely you have an SBOM process in place but it needs improvement – to be more complete, more accurate, and less time-intensive. Here’s a punch list to help you make progress with your SBOM improvement and CRA readiness plan.

Stay Informed: Regularly check official government websites, cybersecurity forums, and industry publications for updates on the Cyber Resilience Act and Software Bill of Materials requirements. Have a trusted software composition analysis partner who can explain how you’re impacted.

Research SBOM Standards: Familiarize yourself with Software Bill of Materials (SBOM) standards and specifications. Understand the format and structure of SBOMs to ensure compliance with the requirements.

Collaborate with Security Teams: Work closely with your organization’s cybersecurity teams to align software development practices with security best practices and compliance requirements.

Implement SBOM in Development Processes: Integrate software composition analysis (SCA) into your software development lifecycle (SDLC). Ensure that your software products include accurate and up-to-date SBOM information.

SBOM Tools, Automation: Explore software composition analysis tools and SBOM automation solutions that can help ingest, generate and manage SBOMs efficiently. This can streamline the compliance process and reduce the risk of errors.

Find SBOM Expertise: There is no “silver bullet” tool for SBOM management. The process also requires expertise you may not have on-staff. Look to SCA providers that can also offer flexible levels of open source audit services to navigate the complexity of identifying components by partial-match and determining the restrictiveness of licensing.

Additional Resources

FossID Team​

The FossID Team byline indicates this article reflects the collective work of the FossID team. With nearly a decade of expertise delivering open source auditing services, FossID is a pioneer in the critical field of software auditing and compliance. FossID’s Software Composition Analysis (SCA) tool, Workbench, and professional services are designed to ensure comprehensive open source compliance and security in software development.

Other Articles relevant