A software bill of materials (SBOM) is something everyone in the cybersecurity field knows and understands. It was even mandated by President Biden in his Executive Order on Improving Our Nation’s Security. The SBOM is intended to enhance supply chain security. Like the ingredients list on a bag of processed snacks, the SBOM is a list of details and supply chain relationships of the components used in building the software, down to the solution’s open source and commercial software components.
The CBOM, or compliance bill of materials, applies the same principles to cyber compliance results. CBOM automates the “trapping” of cyber controls/POAMS, ports/protocols, certs, applications, etc. documented in the RMF/ATO process as compliance code.
The problem CBOMs solve.
Currently the authorization and auditing function within organizations and the operation function within organizations are somewhat disconnected. A lot of work takes place in the RMF and authorization or ATO process. And the technicians build a book full of all the things they found and how they addressed issues—including STIG and CIS controls, the software stack, incompatibilities, and waivers. This is done with the intention of production support reading the book and implementing all the controls therein.
But that’s not how things turn out. The book goes on a shelf, and nothing happens with it. The things we expect production to implement and manage as a result of the RMF process don’t happen, causing great frustration. This has been going on for decades without a good solution. CBOM is the solution we’ve been looking for.
How the CBOM changes things.
A CBOM, in the simplest sense, is a list of the machine controls created in the ATO or RMF process that can be scanned or remediated. With automation, you can automatically create a bill of compliance that’s driven into production, so everyone is implementing, enforcing, and accessing the same controls.
The benefit of the CBOM is that production does what they were supposed to because now they have the “ingredients list” or a roadmap to do it. They can also return the access results in the same format, creating a 360-degree connection between the RMF process and operations, then back to RMF again. It marries the compliance and IT worlds for smoother processes and stronger compliance. And automation creates the CBOM with little to no human interaction. It doesn’t take more time or more work. It’s a product of the automation process.
Better yet, the CBOM is not just for RMF. It works with the CMMC process and other processes to protect controlled unclassified information (CUI), too, encompassing the private organizations that do work with the federal government. It captures all the decisions made in the compliance process and creates a loop that all involved in the IT and cybersecurity processes can use to optimize their time, effort, and ultimate security.
One of our favorite government publications explaining government cyber hygiene, cybersecurity and NIST 800-53 is IRS Publication 1075. We recommend it before reading NIST 800-53 itself, which outlines compliance security controls for wireless LANs.
Start thinking about how a CBOM could work for you.
As government cybersecurity evolves and reaches out to their private-sector supply chain to evolve with it, the CBOM can go a long way toward delivering apps that are RMF-ready (or some resemblance to that). It’s all about protecting data and individuals from letting any sensitive information leak into the hands of bad actors, even if it’s just a former address of a former employee.
The CBOM can start as easily as with a list on a Word document, or it can be generated by compliance software like SteelCloud’s ConfigOS. SteelCloud is currently working with government organizations to establish a CBOM process and close the loop between production and compliance.