Recommendations for Software Bill of Materials (SBOM) Management

The dramatic increase in cyber compromises over the past five years, specifically of software supply chains, prompted intense scrutiny of measures to strengthen the resilience of supply chains for software used throughout government and critical infrastructure. Several policies and working groups at multiple levels within the U.S. Government focus on this need to ensure the authenticity, integrity, and trustworthiness of software products.

The office of the National Manager for National Security Systems (NSS), working in collaboration with other NSA organizations, researched and tested tools that manage Software Bills of Materials (SBOMs) as part of a Cybersecurity Supply Chain Risk Management (C-SCRM) strategy. This guidance includes important recommendations for SBOM management tool functionality derived from the research and evaluation of various SBOM management tools.