Do we need regulations to have SBOMs?

In the SBOM Forum meeting last Friday, we had a lively discussion – nay, argument – on a question that frankly surprised me: Will it take regulation to make SBOMs widely distributed and widely used by private and government al organizations whose main business isn’t software?

It’s quite clear that SBOMs are being widely used by software developers for their own product security purposes. However, it’s also clear that SBOMs are not being widely – or even narrowly – distributed to non-developers[i]. And, while there are certainly a lot of suppliers who don’t want to distribute SBOMs, there are also a lot of users who would like to utilize the information that SBOMs provide, but have no idea how they will be able to get that information from an SBOM when they receive it. This is because there aren’t any low-cost, commercially supported tools (or really any tools at all) that ingest both SBOMs and VEX information and output lists of exploitable component vulnerabilities in a particular product and version.

In the meeting on Friday, a number of well-known, very experienced people in the SBOM space were telling me that SBOMs won’t really be distributed until suppliers are forced to do that by regulations. However, those people say that regulations are right around the corner, so SBOMs are also surely right around the corner.

I frankly don’t know what these people are talking about. I’m optimistic that within two years there will be substantial distribution and use of SBOMs. However, it won’t be due to regulation. It will be due to – dare I say it? – the operation of the free market. Simply put, it will be due to organizations that use SBOMs deciding that a) they want to have the information that can be gained from SBOMs, and b) the tools and/or services needed to obtain that information are readily available to them (which they aren’t now).

Here is why regulations aren’t coming (or at least not in anywhere near the volume or strength required to make a difference), and also why they wouldn’t be needed, even if they were coming:

1.      I, like everyone else involved with SBOMs, thought Executive Order 14028 would be a game changer; it certainly did change the game in terms of awareness of SBOMs. But the date for compliance with Section 4(e) of the EO (which includes the SBOM provisions) was set by OMB for August 10, 2022. On that date, government agencies were supposed to start requiring SBOMs from their suppliers. I haven’t heard of any flood of SBOMs after that date, have you?

2.      After that date passed, expectation grew for OMB’s EO implementation memo in September. But that memo, when it appeared, required every agency to…decide for themselves what if anything to do about SBOMs. Not exactly a game-changer, IMHO.

3.      The memo does require an attestation from the supplier about their software development practices (including SBOMs), but if the supplier attests that they will produce an SBOM and don’t do it, or if they just attest that they won’t produce one at all, there’s no mechanism for an agency to force the supplier to do this. And if an agency were to even consider terminating a relationship with a supplier due to failure to produce an SBOM, the supplier will simply say, “Please show me where in our current contract it says we’re required to produce SBOMs.”

4.      Indeed, the EO did call for changes in the Federal Acquisition Regulation (FAR), which would be required in order to change new contracts. I haven’t heard anything about any changes in FAR being implemented (and I don’t know whether they require Congressional approval if so). And even when the FAR is changed, remember that would only apply to new acquisitions, not to any current contracts. Of course, federal contracts with suppliers are usually multiyear, meaning it will be years before any changes will be implemented due to the EO.

5.      So – and I should have realized this initially – there’s simply no way that the EO is going to make any real difference in SBOMs, unless federal agencies decide they really need SBOMs (or at least data from them) and do more than just ask meekly for an SBOM – then move to the next topic when the supplier says no. In other words, it will be demand from consumers – the agencies – that will drive federal use of SBOM data. The EO certainly will have played a big role in inspiring that demand, but it won’t be the reason that SBOMs are being distributed and used.

6.      If not from the EO, where is federal regulation going to come from, which will force suppliers to provide SBOMs to their users? Of course, there’s the FDA, which was empowered by Congress in December to require medical device manufacturers to meet cybersecurity requirements – including one for SBOMs – in order to be approved to market their devices in the US. In the SBOM Forum meeting, several people pointed to this as a reason why there would soon be a lot of regulations – i.e., other agencies would rush to jump on the FDA’s bandwagon.

7.      But this development isn’t new news. In 2017, the FDA put out a memo saying they intended to require SBOMs (and other cybersecurity measures, to be sure) in the future, without giving a date. The December Omnibus bill finally gave them the authorization to do that. But if other agencies were going to jump on that bandwagon, they would have done it years ago.

8.      However, what other government agency could jump on this bandwagon? It would have to be one that currently has the power to regulate suppliers, for anything other than product safety. The Nuclear Regulatory Commission (or one of the other nuclear power agencies – there are a few) is one. The military and intelligence agencies are certainly another. Is there any other? Not that I know of. In other words, currently there’s no authority for any government agency to require anything besides product safety of the suppliers of any industry outside of nuclear power or the military/three-letter agencies. Where are all these requirements for SBOMs going to come from?

9.      A supplier to critical infrastructure brought up that sector (or sectors) as a likely subject of mandatory SBOM requirements soon. But what agency is going to promulgate those requirements? Remember, the agency would need to have responsibility for the suppliers to an industry, not just the members of the industry itself. A good illustration is the NERC CIP-013 supply chain cybersecurity standard, which came into effect in 2021 and is the only supply chain security standard that I know of outside of the FDA, military and nuclear power. But CIP-013 doesn’t regulate power industry suppliers, since FERC (which provides the enforcement power behind NERC standards) has no authority at all over suppliers. The utilities are supposed to develop supply chain cyber risk management plans, a big component of which is managing vendor risk, and they can face penalties if they develop a slapdash plan, or if they don’t follow the plan they developed.

10.   Sure, the power industry suppliers have felt a lot of pressure from their utility customers due to CIP-013, and are getting their collective cybersecurity acts together; but they don’t face any direct penalties if they refuse to cooperate at all, unless the utilities take action against them like dropping them as suppliers. As with the EO, CIP-013 will only be effective if the regulated entities (government agencies in the case of the EO, and electric utilities in the case of CIP-013) demand security measures of the suppliers (of course, CIP-013 doesn’t say anything directly about SBOMs, but a utility can certainly require them if they think they’re important. To be honest, I doubt too many are doing that now, although the Edison Electric Institute did put out model contract language recently that includes a modest SBOM provision).

11.   Bottom line: If there’s going to be regulation of suppliers in the US – other than safety regulations – it will have to be from some new agency still to be created by Congress. I haven’t heard the slightest peep about that happening, have you?

However, I am quite optimistic that SBOMs will be widely used (or more importantly, that the data to be derived from SBOMs and VEX information will be widely used) within the next two years - although “widely” is relative. The total “market” for SBOMs is every organization, public or private, on the planet. Ultimately, that’s what “widely” will mean, but I won’t even guess on when that will come into existence. Fortunately, there’s lots of growth opportunity long before that outcome is realized.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.

---

[i] The one exception being the German auto industry, whose device suppliers (the average German car now has about 50 computing devices in it) are distributing SBOMs in large quantities to the car manufacturers (known as OEMs in industry parlance). But the primary use case is license management for open source components, not software or firmware security.