Around the world, many governments and public sector folks have been advocating software guidelines of sorts. Recently, the use of open source software and consequently the security of the Software Supply Chain have come under scrutiny by several agencies in the public sector.
The Biden administration passing an executive order [1] on Cybersecurity first caught the attention of the world. This was followed by the EU’s CRA [2], Japan’s emphasis on protecting critical infrastructure [3].
I always found India’s actions on this lacking. However, the timing of the DPDP act took me by surprise. However, the latest guidance issued by the Indian Computer Emergency Response Team for Software Bill of Materials has really been amazing.
The Indian Computer Emergency Response Team (CERT-In) [4] has released essential technical guidelines for Software Bill of Materials (SBOM). This guidance is specifically designed for public sector organizations, government entities, essential service providers, software exporters, and industry stakeholders.
SBOM, a detailed inventory of components used in software, has gained global recognition as a crucial tool for enhancing software security and transparency. By providing a comprehensive list of software components, SBOM helps organizations identify and address vulnerabilities, mitigate risks, and ensure compliance with regulatory requirements.
CERT-In’s guidance aligns with international standards and recommendations, reinforcing the importance of SBOM in securing global software supply chains. By adopting SBOM practices, organizations can foster trust among stakeholders, improve software quality, and protect against cyber threats.
Link to PDF: https://www.cert-in.org.in/PDF/SBOM_Guidelines.pdf
What I’d love to see are opinions and thoughts from various folks here about the content, timing, positioning, and any other aspects of this announcement.
[1] Executive Order on Improving the Nation's Cybersecurity | The White House
[2] EU Cyber Resilience Act | Shaping Europe’s digital future
[3] https://www.nisc.go.jp/eng/pdf/cip_policy_2022_eng.pdf
[4] https://cert-in.org.in/