CISA’s New Hardware Bill of Materials (HBOM) Framework
Published: September 28, 2023
The new cybersecurity guidance seeks to improve visibility and reduce risks of technology hardware procured by federal agencies.
This week, the Cybersecurity and Infrastructure Security Agency (CISA) published their new Hardware Bill of Materials (HBOM) Framework for Supply Chain Risk Management, focused on creating a consistent, repeatable approach for hardware vendors to communicate the components within their products so that purchasers may assess and mitigate risks in their hardware supply chain.
The HBOM Framework was developed by the HBOM Working Group (WG) under the Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) Task Force (TF), which is co-chaired by CISA. The TF was created to serve as the primary mechanism for industry and government collaboration on strategies and policies to address ICT supply chain risks confronted by critical infrastructure owners and operators and government entities across the spectrum.
Reducing Hardware Supply Chain Risk
Through its activities, the TF identified “multiple economic and security risks associated with equipment components that may be untrusted, compromised, or subject to availability risks.” Further, in considering lessons learned from the COVID-19 pandemic, the TF concluded that “customers need more visibility into upstream supply chain constraints such as single-source or single-region ‘sub-tier’ suppliers.”
HBOM Use Cases
The Framework includes various use cases (UCs) addressing wide SCRM issues, from compliance and security to availability.
- Compliance – Situations which assess the product’s compliance with rules and regulations. These scenarios will assess the adherence to internal, industry, and customer requirements.
- Within scope are UCs involving compliance to government-related rules and regulations, such as the Fiscal Year (FY) 2019 National Defense Authorization Act (NDAA) Sec. 889, which prohibits the government from obtaining video surveillance and telecommunications equipment from specific entities, subsidiaries and affiliates.
- Security - Scenarios that evaluate the product’s security risk based on the exposure to known vulnerabilities and/or high susceptibility to untrusted entities/geolocations.
- Availability - Conditions that assess product impacts from world events and supply chain diversification (or lack thereof).
The Framework also includes additional appendices laying out a suggested HBOM Format (Appendix B) to ensure consistency and ease of production and use. A Data Field Taxonomy (Appendix C) provides a taxonomy of component/input attributes that may be used. Potential Enhancements and Add-Ons (Appendix D) outlines topics to be addressed in future guidance as it evolves, including addressing component part and entity resolution challenges, where multiple identifiers can be used for the same part, and/or a generic identifier can be used to reference multiple parts.
The latest framework comes on the heels of CISA’s Open Source Software Security Roadmap to drive the secure usage of open source software (OSS) within the federal government and beyond. The White House’s National Cybersecurity Strategy Implementation Plan includes a priority to increase secure-by-design software and hardware practices. CISA is charged with driving the development and adoption of secure-by-design and secure-by-default software and hardware practices across the private sector by the end of FY 2024.
These and other efforts to reduce risks associated with vendor furnished IT products and services continue to place requirements on suppliers as a requirement for federal procurements. (The HBOM Framework is voluntary, but the growing requirement for various BOMs across federal procurement points to wide-reaching mandates.
For hardware suppliers that have not yet been using some form of HBOM to date, there will be costs associated with implementing this or any compliance schema. This cost of doing business may add varying burdens to the supplier, depending on their size, cash flow and cost structure.
The TF noted in the Framework that “it may be reasonable to get a new HBOM when the vendor changes the version of a product that they offer.” So, vendors should build in that capability into their processes, automating its generation and distribution.
As the BOM landscape evolves, the TF envisions “a future state where this HBOM Framework can merge with emerging SBOM frameworks.” Further, the current HBOM Framework provides for including only basic information – the provider – for any firmware associated with hardware components, but it does not delve into the provenance and other attributes of that firmware. This too may be added to the future frameworks for which suppliers should prepare.