The Centers for Medicare and Medicaid Services’ plan to implement President Joe Biden’s Executive Order on software procurement requires more than the bare minimum from contractors.

The executive order requires agencies to obtain a software bill of materials – usually described as an ingredient list of the code libraries that make up a particular application – from vendors. But not all SBOM standards are created equal. The leading standards for their formulation include SWID (Software Identification), SPDX (Software Package Data Exchange), and Cyclone DX, and some only require basic license or version information. Proponents say that gathering even the most superficial information is an important first step, while others argue that realizing the full security potential of SBOMs would require uncovering deeper levels of the software supply chain.

“We are just beginning to lay the foundations for how we will incorporate Cyclone DX, the safety-oriented SBOM standard, into our data …

Source link

Leave a Reply