The US Cybersecurity and Infrastructure Security Agency (CISA) has published new guidance designed to improve the accuracy of risk assessments related to hardware products in the supply chain.
The Hardware Bill of Materials Framework (HBOM) for Supply Chain Risk Management is the work of the Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) Task Force.
It’s designed to encourage consistency in the naming of component attributes, a format for identifying and providing information on those components, and guidelines on what HBOM information is required based on the purpose for which the HBOM will be used.
There are three main components to the framework:
- Use case categories (Appendix A): A range of use cases for hardware buyers, based on the type of risk the buyer is looking to evaluate
- Format of HBOMs (Appendix B): A format that can be used to ensure consistency across HBOMs and streamline the production and use of HBOMs
- Data field taxonomy (Appendix C): A taxonomy of component/input attributes that might be appropriate to include in an HBOM, depending on how the buyer intends to use the HBOM
Read more on supply chain risk: Software Supply Chain Attacks Hit 61% of Firms
CISA National Risk Management Center assistant director and ICT SCRM Task Force co-chair, Mona Harrington, praised the new framework.
“The HBOM Framework offers a consistent and repeatable way for vendors and purchasers to communicate about hardware components, enabling effective risk assessment and mitigation in the supply chain,” she added.
“With standardized naming, comprehensive information, and clear guidance, organizations can safeguard against economic and security risks, enhancing overall resilience. By enhancing transparency and traceability through HBOM, stakeholders can identify and address potential risks within the supply chain, ensuring that the digital landscape remains robust and secure against emerging threats and challenges.”
While the HBOM Framework is certainly welcome, security teams are still waiting for a software equivalent to help them manage the extraordinary complexity of digital supply chain risk amid widespread use of open source components.