The Energy Sector Software Bill Of Materials (SBOM) Proof of Concept (POC) will convene a group of diverse energy-sector stakeholders in an open, transparent, consensus-based process to explore the application of SBOMs within energy sector environments and catalyze progress in SBOM adoption to increase transparency of software components within the sector.

In an open forum, this group will develop tools and technologies for SBOM adoption into the energy sector, including leveraging the work of the following NTIA SBOM Working Groups:

• Framing – SBOM specification and structures
• Formats and Tooling – Automation of SBOMS including tools, processes, and playbooks
• Awareness and Adoption – Outreach strategies and business cases
• Automotive Proof of Concept – Explored adoption of SBOM within the Automotive Sector
• Healthcare Proof of Concept – Explored adoption of SBOM within the Medical Device Community

This is an introduction to the practice of Software Bill of Materials (SBOM), supporting literature, and the pivotal role SBOMs play in providing much-needed transparency: enabling stakeholders to answer questions like “Am I affected?” and “Where am I affected?” when faced with a supply chain concern.

SBOM is a formal, machine-readable inventory of software components and dependencies, information about those components, and their hierarchical relationships. These inventories should be comprehensive – or should explicitly state where they could not be. SBOMs may include open source or proprietary software and can be widely available or access-restricted.

SBOMs should also include baseline attributes with the ability to uniquely identify individual components in a standard data format. The most efficient generation of SBOMs is as a byproduct of a modern development process. For older software, less-automated methods exist.

Sponsor

The Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) addresses the emerging threats of tomorrow while protecting the reliable flow of energy to Americans today by improving energy infrastructure security and supporting the Department of Energy’s national security mission. CESER’s focus is preparedness and response activities to natural and man-made threats, while ensuring a stronger, more prosperous, and secure future for the nation.

Participating Laboratories and Organizations

Idaho National Laboratory is a world leader in providing industrial control system (ICS) cybersecurity research and development. The laboratory’s distinctive history in protecting critical infrastructure systems puts the lab at the forefront of thought leadership and applied innovation in critical infrastructure cybersecurity testing. INL uses a comprehensive approach to developing ICS cybersecurity research to meet the energy sector’s needs identified by the DOE, utilities, and other organizations.

National Telecommunications and Information Administration (NTIA) is the Executive Branch agency that is principally responsible for advising the President on telecommunications and information policy issues. NTIA’s programs and policymaking focus largely on expanding broadband Internet access and adoption in America, expanding the use of spectrum by all users, and ensuring that the Internet remains an engine for continued innovation and economic growth.