The Cybersecurity and Infrastructure Security Agency (CISA) recently released the new Hardware Bill of Materials Framework (HBOM) for Supply Chain Risk Management product from the Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) Task Force.  

The HBOM product provides a framework that includes a consistent naming methodology for attributes of components, a format for identifying and providing information about the different types of components, and guidance of what HBOM information is appropriate depending on the purpose for which the HBOM will be used. 

The framework has several key components:  

  • Use Case Categories (Appendix A): Provides a range of potential use cases that purchasers may have for HBOMs, based on the nature of the risk the purchaser seeks to evaluate. 
  • Format of HBOMs (Appendix B): Framework sets forth a format that can be used to ensure consistency across HBOMs and to increase the ease with which HBOMs can be produced and used. 
  • Data Field Taxonomy (Appendix C): Provides a taxonomy of component/input attributes that, depending on the use for which the purchaser intends to use an HBOM, may be appropriate to include in an HBOM. 

“CISA’s latest announcement introducing the Hardware Bill of Materials Framework (HBOM) for Supply Chain Risk Management should be commended, since it parallels their SBOM initiatives and extends risk management to hardware components," said Javed Hasan, CEO and Co-founder, Lineaje. "With the increase in demand for IoT products, the synergy between SBOMs and HBOMs is becoming increasingly essential to achieve a holistic supply chain risk management strategy. It means that organizations can now have a more comprehensive view of their entire supply chain, covering both software and hardware components. This integrated approach will lead to more robust and secure digital landscapes, better protection against emerging threats and improved overall resilience.” 

“HBOMs are not ‘new’ per se, as the idea of taking inventory on parts that are used to make an end product has been around for a long time. It’s great to see CISA incorporated industry feedback to encourage buy-in to these best practices," said Kayla Underkoffler, Lead Security Technologist, HackerOne. "The act of modernizing and building a practical framework driven by industry input for organizations is a great way to encourage widespread HBOM standardization and adoption. This new guidance also appears to pull inspiration from frameworks established for SBOMs, which require documents to be living and machine-readable. All of these qualities mean HBOMs that follow the framework will become more effective for strategic and security-minded purchasing decisions. The framework also succeeds in emphasizing the necessity of transparency within the supply chain to keep consumers safe. The risk level of a specific vulnerability within a product will be different for every buyer depending on implementation. It is imperative that buyers have as much information and context as possible so they can make calculated decisions to prioritize vulnerability handling and anticipate where they might emerge.”