Just as federal agencies need a software bill of materials (SBOM) in order to have a detailed breakdown of their supply chain relationships of open-source and commercial software components, government organizations also need to apply those same principles to their cybersecurity compliance results.
A compliance bill of materials (CBOM) serves just for that purpose, acting as a list of the machine controls created in the authorization to operate (ATO) or the Risk Management Framework (RMF) process that can be scanned or automated. But what exact benefits does having a CBOM deliver to federal agencies? And how does a CBOM bolster the cybersecurity posture of government organizations?
To get answers to these questions and learn more about what goes into a compliance bill of materials, the GovCyberHub sat down with SteelCloud COO Brian Hajost.
Here is what he had to say:
GovCyberHub (GCH): We often hear about SBOM, but what is CBOM? How does it differ from an SBOM?
Brian Hajost: An SBOM, or software bill of materials, is a detailed list of software components for a given application or appstack. SBOMs will include all of the low-level licensed and open-source pieces of software in a structured format.
CBOM, or compliance bill of materials, is very different, although it may include some of the same items that appear on an SBOM. A CBOM is a list of machine-readable compliance items that were approved in an RMF/ATO process. For example, this might include system-level controls (STIG/CIS), POAMS/waivers, ports/protocols, software versions, certs, etc. So, a CBOM is a compliance specification in a machine-readable format.
GCH: What benefits does a CBOM deliver to government agencies? How does it boost an organization’s cybersecurity posture?
Brian Hajost: Today, decisions made and documented in the RMF/ATO process are implemented in production using completely different tools and techniques than the ATO process. Furthermore, the monitoring and assessment of the RMF/ATO controls are typically accomplished using another technology with generic policies.
Using a compliance specification like CBOM, as compliance as code, to implement and access the compliance bill of material creates a “closed loop” between the Assessment and Authorization function and the production IT function. The compliance bill of materials automates both the implementation and assessment of specific compliance items. It reduces the inherent translation friction and overhead inherent in traditional compliance processes.
GCH: Can a CBOM assist with an organization’s CMMC posture? How can it help organizations reach and maintain CMMC compliance?
Brian Hajost: CBOM will help any organization reach and maintain a compliance standard. It is an easy-to-implement model that packages all the machine-readable compliance components in a single piece of automation. And most importantly, a compliance bill of materials helps increase security and consistency – the goals of any compliance regimen.
GCH: Where does an agency begin as it pertains to developing a CBOM? What advice would you give organizations that are just starting to create their CBOM?
Brian Hajost: CBOM implementation can begin with a simple document or spreadsheet. Capturing the types of data that you want to automate in a CBOM process is a great first step. It is also essential to recognize and embrace the beneficial changes CBOM automation will make to agency compliance operations.
GCH: Are there solutions that can help automate the CBOM process for government agencies?
Brian Hajost: The real opportunity to automate a CBOM process is to start pre-ATO, not post-ATO.
A compliance bill of materials can accelerate the RMF process by automation system configurations and artifact production to feed the RMF process. ATOs will be sped up, and the content to implement controls in production will be complete and approved as part of the RMF process.
So, the effort to create a compliance bill of materials is paid for by the reduction of effort, pre-ATO. SteelCloud has been delivering a CBOM for system-level controls for more than a decade. We are in the process of developing technology that will incorporate and automate the entire CBOM stack of controls.
