Today, the Cybersecurity and Infrastructure Security Agency (CISA) released the new Hardware Bill of Materials (HBOM) Framework for Supply Chain Risk Management product from the Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) Task Force.
The document seeks to create a consistent, repeatable way for vendors to communicate to purchasers the hardware components in products that they have or may purchase – to enable purchasers to evaluate and mitigate risks in their supply chain.
Additionally, CISA said this framework provides a useful tool to help industry and government evaluate and address supply chain risks, set forth a consistent, predictable structure for HBOMs, and provide a set of clearly defined data fields of HBOM components and their attributes to promote efficiencies across the ICT sector for a variety of use cases.
The framework includes a consistent naming methodology for attributes of components, a format for identifying and providing information about the different types of components, and guidance of what HBOM information is appropriate depending on the purpose for which the HBOM will be used.
“The HBOM Framework offers a consistent and repeatable way for vendors and purchasers to communicate about hardware components, enabling effective risk assessment and mitigation in the supply chain,” said CISA National Risk Management Center Assistant Director and ICT SCRM Task Force Co-Chair Mona Harrington. “With standardized naming, comprehensive information, and clear guidance, organizations can safeguard against economic and security risks, enhancing overall resilience.”
She continued, “By enhancing transparency and traceability through HBOM, stakeholders can identify and address potential risks within the supply chain, ensuring that the digital landscape remains robust and secure against emerging threats and challenges.”
CISA’s new framework has several key components:
- Use Case Categories: Provides a range of potential use cases that purchasers may have for HBOMs, based on the nature of the risk the purchaser seeks to evaluate;
- Format of HBOMs: Sets forth a format that can be used to ensure consistency across HBOMs and to increase the ease with which HBOMs can be produced and used; and
- Data Field Taxonomy: Provides a taxonomy of input attributes that, depending on the use for which the purchaser intends to use an HBOM, may be appropriate to include in an HBOM.
The framework was developed by the ICT SCRM Task Force’s HBOM Working Group, which includes subject matter experts from a diverse set of private and public sector organizations.
John Miller, senior vice president of policy and general counsel at Information Technology Industry Council and ICT SCRM Task Force co-chair, said, “This methodology gives organizations a useful tool to evaluate supply chain risks with a consistent and predictable structure for a variety of use cases.”
