CISA Rolls Out a HBOM Framework to Secure Hardware Components
The federal government for the past few years has focused on protecting the software supply chain in the wake of such high-profile incidents as the SolarWinds hack in 2020 and the Log4j vulnerability a year later.
A key part of that has been software bills-of-materials (SBOMs), an inventory of the various components that make up a piece of software and a way for organizations to account for the products they are bringing into their IT environments. This becomes increasingly important given the amount of code – much of it open source – that is used to build software, a lot of which comes from outside a business’ development team.
Now the U.S. Cybersecurity and Infrastructure Agency wants organizations to have the same information about the hardware systems that run all this software.
CISA this week rolled out a framework for a hardware bill of materials (HBOM) that, like SBOMs, list the hardware components that make up a system and the details of the components. The Hardware Bill of Materials Framework for Supply Chain Management include a consistent way to name attributes of components, a format for identifying and providing information about the types of components, and guidance for deciding what HBOM information is needed based on the why the list will be used.
The goal is to create a “consistent and repeatable way for vendors and purchasers to communicate about hardware components, enabling effective risk assessment and mitigation in the supply chain,” Mona Harrington, assistant director of CISA’s National Risk Management Center and co-chair of the task force that developed the HBOM framework. “With standardized naming, comprehensive information, and clear guidance, organizations can safeguard against economic and security risks, enhancing overall resilience.”
Harrington added that the transparency and traceability in HBOMs enable vendors and businesses to “identify and address potential risks within the supply chain, ensuring that the digital landscape remains robust and secure against emerging threats and challenges.”
The framework is the product of the Information and Communications Technology (ICT) Supply Chain Risk Management Task Force.
The Push for HBOMs
HBOMs may not be getting the same attention as SBOMs, but they’ve been around longer than SBOMs and “are becoming more commonplace in the tech industry as more companies look to secure their cyber footprints,” according to cyber-risk management company Fortress Information Security.
There already are HBOMs that are part of larger bill-of-materials for IT products, such as CycloneDX, a project of the OWASP Foundation, which earlier this year released version 1.5.
In a blog post in April, John Taplett, co-founder and CEO of Ceritas, which has a platform used to analyze and remediate HBOMs in critical infrastructure, called for a global standard for HBOMs, a necessity in a world that is increasingly awash in both technology and global tensions like the ongoing dispute between the United States and China over semiconductors.
“Great power competition has spilled into economic conflict for centuries; but never before have technical innovation and information cycles moved as quickly leaving policy behind and out of sync,” Taplett wrote, adding that the “technical debt” could lead to significant impacts as such competition goes digital. “Both nation states and non-state belligerents now employ tens of thousands of hackers and cyberwarefare specialists, who daily probe global information technology and critical infrastructure for vulnerabilities in both hardware and software.”
He noted that manufacturers already include bills of materials with their products and most hardware manuals and marketing materials identify the components within products. Aggregating the information creates a framework for HBOMs. The problem is that most HBOMs are organized in JSON or text files that are not easily standardized or aggregated.
Follow the SBOM Example
The industry and government need to create a standard similar to what’s happening with SBOMs.
“Hardware vulnerabilities are unlike software vulnerabilities, in that they are physical and more difficult o address,” he wrote. “The microelectronics supply chain has simply become too globally complex and it is evolving into a battleground of great power competition. The time to put the foundational elements of a HBOM standard in place is now. … The future is coming it is full of evolving threats.”
The CISA framework is looking to establish such a standard, including ensuring consistency with other platforms, including CycloneDX and Software Package Data Exchange (SPDX), a Linux Foundation project, with a goal to have the HBOM framework merge with emerging SBOMs.
The framework also is aimed at listing not only the hardware components, but also the firmware that is included in those components. It also addresses three uses cases – security, compliance, and availability – depending on the need of the product buyer.