A Hardware Bill of Materials (HBOM) Framework for Supply Chain Risk Management

Summary:

Hosted by JANUS Associates, this framework was developed by The Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) Task Force, a public-private, cross-sector body organized, co-chaired by CISA, and representatives from the Information Technology (IT) and Communications Critical Infrastructure Sectors.

The Hardware Bill of Materials Framework creates a consistent, repeatable way for vendors to communicate with purchasers of hardware components in products they have or may purchase, enabling them to evaluate and mitigate risks in their supply chain. The framework’s objective is to set forth a reliable and predictable structure for HBOMs and clearly defined data fields of HBOM components and their attributes.

CISA 3-minute video explainer:

Benefits of Illuminating Upstream Supply Chain Risks and the Role of HBOMs

The HBOM Framework provides a useful tool to help industry and government evaluate and address supply chain risks, especially those identified by past ICT SCRM Task Force reports. These past reports have identified multiple economic and security risks associated with equipment components that may be untrusted, compromised, or subject to availability risks. 

Scope & Key Points

This HBOM Framework includes a consistent naming methodology for attributes of components, a consistent format for identifying and providing information about the different types of components, and guidance of what HBOM information is appropriate depending on the purpose for which purchasers and vendors will be utilizing the HBOM. 

  • It is meant to be flexible and allow purchasers and vendors to tailor it to their specific circumstances or use cases. It is meant to capture the components’ HBOM information to be included at the time of the sale or exchange of goods.
  • Framework provides basic information about including the firmware associated with the products’ components (i.e., the provider of the firmware). Still, it stops short of proposing a framework for examining the provenance and other attributes of that firmware.