NTIA SBOM Multistakeholder Group Sees Further Progress

Director-Cybersecurity Initiatives Allan Friedman during a Wednesday conference call. Group members noted continued progress on SBOM issues, including how to create an interoperable format for software companies to use to aid understanding of common data sets used in different software programs. The Framing Working Group released a naming-focused use cases document and noted identification issues as a major factor in their work. The Formats and Tooling WG focused on considering how automation could be helpful in making sense of software company-generated data are generating and finding knowledge gaps in current stakeholder-drafted SBOM documents. The Awareness and Adoption Working Group said its work has shifted away from earlier plans to do outreach to the technical community amid the COVID-19 pandemic. The group is creating an FAQ to answer questions about the SBOM process and encourage stakeholders to adopt NTIA’s coming end product. The group released a draft version of the FAQ ahead of the meeting. The Healthcare Proof of Concept WG said it’s been working on a proof of concept to share information collected from medical devices. The healthcare industry created its own proof of concept document before NTIA released initial SBOM documents last year. The NTIA-developed proof of concept includes input from hospitals’ security providers and software tool providers that collaborate with medical device manufacturers, the subgroup said.