Talk:Software supply chain

Propsoal for deletion
A "software" bill of materials (BOM) is called a list of dependencies, or a list of dependent packages. The BOM terminology is widely used in supply chain, but, afaik, largely obscure in software affairs. Also, some (most?) references given in the page are actually linking back to materials that associated with regular supply chain BOMs, not software ones. While being fairly knowledgeable in both software and supply chain, I have never this term used anywhere. Not sure who came up with with page, but I believe it does not belong here. --Joannes Vermorel (talk) 13:50, 26 February 2020 (UTC)


 * It's certainly an issue of current interest and research. UL 2900 includes SBOM instructions. NTIA, FDA, DoD, Mitre and others are actively working on guidelines in this area for the US government. CodeCurmudgeon (talk) 16:58, 26 February 2020 (UTC)


 * I haven't had a chance to work in the newer materials yet, but I'll start gathering a few resources here until I have a chance to work on the article. CISQ is working with OMG to have an SBOM that works with NTIA https://www.it-cisq.org/software-bill-of-materials/ CodeCurmudgeon (talk) 22:52, 26 February 2020 (UTC)


 * Bob Martin of Mitre did this presentation at the Software Supply Chain Assurance Forum (hosted by NIST, DoD, DHS) last spring https://csrc.nist.gov/CSRC/media/Projects/cyber-supply-chain-risk-management/documents/SSCA/Spring_2019/8MayAM2.3_Software_Bill_of_Materials_Robert_Martin_05_08_19_clean.pdf CodeCurmudgeon (talk) 22:54, 26 February 2020 (UTC)


 * NTIA survey of existing SBOM formats (meaning SBOM is indeed in use enough to have multiple formats) https://www.ntia.doc.gov/files/ntia/publications/ntia_sbom_formats_and_standards_whitepaper_2019_0904.pdf CodeCurmudgeon (talk) 22:55, 26 February 2020 (UTC)


 * NTIA working group paper Framing Software Component Transparency: Establishing a Common Software Bill of Material (SBOM), NTIA Multistakeholder Process on Software Component Transparency, Framing Working Group https://www.ntia.gov/files/ntia/publications/framingsbom_20191112.pdf CodeCurmudgeon (talk) 22:57, 26 February 2020 (UTC)

SSCA is a government forum covering supply chain
Another good source of information for this is proceedings from the SSCA aka Software Supply Chain Assurance forum hosted by NIST as well as DoD, DHS, Mitre, and GSA. It's held a few times each year and is free and open to the public. I'll be pulling some of this material as well as the NTIA materials. https://csrc.nist.gov/Projects/cyber-supply-chain-risk-management/SSCA CodeCurmudgeon (talk) 23:00, 26 February 2020 (UTC)

SBOM is becoming mandatory
https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/ 134.247.251.245 (talk) 13:50, 26 July 2022 (UTC)
 * ... and being discussed in the EU. --User:Haraldmmueller 16:46, 14 August 2023 (UTC)