CISA Publishes Hardware Bill of Materials Framework

The US Cybersecurity and Infrastructure Security Agency (CISA) has published new guidance designed to improve the accuracy of risk assessments related to hardware products in the supply chain.

The Hardware Bill of Materials Framework (HBOM) for Supply Chain Risk Management is the work of the Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) Task Force.

It’s designed to encourage consistency in the naming of component attributes, a format for identifying and providing information on those components, and guidelines on what HBOM information is required based on the purpose for which the HBOM will be used.

There are three main components to the framework:

Read more on supply chain risk: Software Supply Chain Attacks Hit 61% of Firms

CISA National Risk Management Center assistant director and ICT SCRM Task Force co-chair, Mona Harrington, praised the new framework.

“The HBOM Framework offers a consistent and repeatable way for vendors and purchasers to communicate about hardware components, enabling effective risk assessment and mitigation in the supply chain,” she added.

“With standardized naming, comprehensive information, and clear guidance, organizations can safeguard against economic and security risks, enhancing overall resilience. By enhancing transparency and traceability through HBOM, stakeholders can identify and address potential risks within the supply chain, ensuring that the digital landscape remains robust and secure against emerging threats and challenges.”

While the HBOM Framework is certainly welcome, security teams are still waiting for a software equivalent to help them manage the extraordinary complexity of digital supply chain risk amid widespread use of open source components.