The U.S. Cybersecurity and Infrastructure Agency has released a new framework designed to improve the accuracy of risk assessments in the hardware supply chain.

The new Hardware Bill of Materials Framework for Supply Chain Risk Management, released Monday, is a product of the Information and Communications Technology Supply Chain Risk Management Task Force It has been designed to offer a consistent and repeatable way for vendors and purchasers to communicate about hardware components. In doing so, the HBOM enables effective risk assessment and mitigation in the supply chain.

The HBOM provides a framework that recommends using a consistent naming methodology for the attributes of components, a format for identifying and providing information about the different types of components and guidance of what HBOM information is appropriate depending on the purpose for which the HBOM will be used.

The framework has several components. The first component — use case category — providers potential use cases that purchasers may have for HBOMs, based on the nature of the risk the purchaser seeks to evaluate. The second component offers a format that can be used to ensure consistency across HBOMs and to increase the ease with which HBOMs can be produced and used. The last component — Data Field Taxonomy — provides a taxonomy of component and input attributes that may be appropriate to include in an HBOM.

“This methodology gives organizations a useful tool to evaluate supply chain risks with a consistent and predictable structure for a variety of use cases,” John Miller, senior vice president of policy and general counsel at the Information Technology Industry Council and ICT SCRM Task Force co-chair, noted.

Javed Hasan, co-founder and chief executive of software supply chain management startup Lineaje Inc., told SiliconANGLE that the new framework should be commended because it parallels CISA’s software bill of materials initiatives and extends risk management to hardware components.

“With the increase in demand for IoT products, the synergy between SBOMs and HBOMs is becoming increasingly essential to achieve a holistic supply chain risk management strategy,” Hasan explained. “It means that organizations can now have a more comprehensive view of their entire supply chain, covering both software and hardware components. This integrated approach will lead to more robust and secure digital landscapes, better protection against emerging threats, and improved overall resilience.”

Kayla Underkoffler, lead security technologist at bug bounty startup HackerOne Inc., was also positive, noting that the “act of modernizing and building a practical framework driven by industry input for organizations is a great way to encourage widespread HBOM standardization and adoption.”

“The framework also succeeds in emphasizing the necessity of transparency within the supply chain to keep consumers safe,” Underkoffler added. “The risk level of a specific vulnerability within a product will be different for every buyer depending on implementation. It is imperative that buyers have as much information and context as possible so they can make calculated decisions to prioritize vulnerability handling and anticipate where they might emerge.”

Image: CISA