CISA's push for hardware bills of materials.
By Ladzer Odotei Blumenfeld, CyberWire stringer
Sep 28, 2023

CISA advances a voluntary Hardware Bill of Materials Framework.

CISA's push for hardware bills of materials.

On Monday the US Cybersecrity and Infrastructure Security Agency (CISA) released its Hardware Bill of Materials Framework (HBOM) for Supply Chain Risk Management. Created by the Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) Task Force, the document provides guidelines by which tech manufacturers can clearly communicate with buyers about the hardware components of their products. The goal is akin to a nutrition label found on a package of food, giving the consumer – in this case, tech purchasers – a clearer idea of the ingredients the product contains, and in turn the inherent risks of using it.

The goals are enhanced standardization, transparency, and resilience in the supply chain.

CISA National Risk Management Center Assistant Director and ICT SCRM Task Force Co-Chair Mona Harrington stated in a press release, “With standardized naming, comprehensive information, and clear guidance, organizations can safeguard against economic and security risks, enhancing overall resilience. By enhancing transparency and traceability through HBOM, stakeholders can identify and address potential risks within the supply chain, ensuring that the digital landscape remains robust and secure against emerging threats and challenges.” The framework offers a set of potential use cases that purchasers may have for HBOMs, an format that should be used to create consistency across HBOMs, and taxonomy of component/input attributes that should be included in the HBOM.

Some experts question the efficacy of HBOMs.

As NextGov notes, adherence to the framework is voluntary, but in the absence of mandatory guidance, the task force hopes the document will lead to a more consistent approach. Robert Mayer, ICT Task Force co-chair and senior vice president of Cybersecurity and Innovation at USTelecom, stated, “This resource plays a vital role in adopting proactive approaches to mitigate risks effectively." As the Washington Post observes, some experts approve of the plan, while others are more skeptical. Andreas Kuehlmann, CEO of Cycuity, said that while the framework is a step in the right direction, there’s room for improvement. “It’s very focused on the supply chain, and that is a very important aspect. What I’m missing, and I think is equally important, is to trace the HBOMs through the life cycle of a product.” David Brumley, CEO of ForAllSecure and a cyber professor at Carnegie Mellon University, says he thinks the framework is really intended to keep US buyers from purchasing products from China, and he predicts the HBOM guidelines will not actually be followed. “I don’t see this having much impact and I don’t know why people would comply with it,” he stated.

Other industry experts approve of HBOMs as a sound evolutionary step toward improved security.

But others see the policy as a step in the right direction. Javed Hasan, CEO and Co-founder of Lineaje, liked what he saw in the HBOM. It will, he wrote, be particularly important in securing the Internet-of-things. “CISA’s latest announcement introducing the Hardware Bill of Materials Framework (HBOM) for Supply Chain Risk Management should be commended, since it parallels their SBOM initiatives and extends risk management to hardware components. With the increase in demand for IoT products, the synergy between SBOMs and HBOMs is becoming increasingly essential to achieve a holistic supply chain risk management strategy. It means that organizations can now have a more comprehensive view of their entire supply chain, covering both software and hardware components. This integrated approach will lead to more robust and secure digital landscapes, better protection against emerging threats, and improved overall resilience.” 

Bills of materials aren't, of course, new. But Kayla Underkoffler, Lead Security Technologist at HackerOne, approved of the way this program was developed. “HBOMs are not ‘new’ per se, as the idea of taking inventory on parts that are used to make an end product has been around for a long time. It’s great to see CISA incorporated industry feedback to encourage buy-in to these best practices. The act of modernizing and building a practical framework driven by industry input for organizations is a great way to encourage widespread HBOM standardization and adoption. This new guidance also appears to pull inspiration from frameworks established for SBOMs, which require documents to be living and machine-readable. All of these qualities mean HBOMs that follow the framework will become more effective for strategic and security-minded purchasing decisions," Underkoffler wrote, adding, "The framework also succeeds in emphasizing the necessity of transparency within the supply chain to keep consumers safe. The risk level of a specific vulnerability within a product will be different for every buyer depending on implementation. It is imperative that buyers have as much information and context as possible so they can make calculated decisions to prioritize vulnerability handling and anticipate where they might emerge.” 

The new program is expected to prove itself when it's integrated with other security measures. Stephen Gates, Principal Security SME at Horizon3.ai, sees the program as a positive, and as consistent with other, earlier security initiatives. "Like the SBOM initiative mentioned in the May 2021 Executive Order on Improving the Nation’s Cybersecurity, the HBOM initiative makes a great deal of sense. Knowing what hardware and software components are inside of a product should help improve security in the supply chains we all rely upon. However, another movement that seems to be gaining steam is in the area of continuous security assessments for those who supply software, hardware, parts, and components that upstream entities rely upon – especially in terms of critical infrastructure," Gates said. “For example, software and/or hardware manufacturers who are part of a supply chain and sell components to upstream entities will soon be asked to provide proof of continuous security assessments used as an indicator of just how secure their operations really are. Meaning, if you want to sell hardware and/or software to upstream buyers, you will soon be asked to prove your levels of security, and the only way to economically do that is to perform continuous security self-assessments."

And a hardware bill of materials, Gates argued, is a step toward continuous assessment. “The yearly checkbox penetration test so many have grown accustomed to won’t cut the mustard any longer. They are only a snapshot in time, they often don’t tell the whole story, and they are cost prohibitive. Organizations who supply components upstream must find affordable ways of continuously assessing themselves and providing assessment reports to their buyers. Buyers must ensure they can mitigate any risk that could be transferred to them, hence the reason for wanting proof of supplier security levels. The best way to continuously assess the security of a supplier's operations is to employ autonomous penetration testing technologies that can continuously assess and report on the security of the suppliers’ operations at any given moment in time. This will likely become the norm and not the exception moving forward.”