Public procurement is crucial for ensuring that socially important services and systems are both secure and reliable. With increasing requirements for transparency and security, SBOM (Software Bill of Materials) has become an indispensable tool for guaranteeing that suppliers meet high security standards.
When public organizations purchase software or digital services, they can now require suppliers to provide an SBOM. This document functions as a detailed ingredient list for the software, showing all components used, their origins, and any known vulnerabilities. By making this requirement, it is ensured that suppliers have full control over their software and that no components pose a security risk.
Benefits of SBOM in public procurement
-
Increased transparency
By requiring SBOM from suppliers, public organizations get a clear picture of which components are used in the software they purchase. This makes it easier to understand and evaluate the software's security and quality before implementing it in critical systems.
-
Improved security
SBOM makes it possible to quickly identify and address vulnerabilities in the software. If a security flaw is discovered in a certain component, the SBOM can be used to quickly locate which systems are affected and take necessary measures to protect them.
-
Compliance with regulations
Laws and regulations such as NIS2 and CRA place high requirements on transparency and security in public procurement. By integrating SBOM into the procurement process, organizations can ensure they follow these requirements and avoid potential legal problems.
How to use SBOM in public procurement
To effectively utilize SBOM in public procurement, you can follow these steps:
-
Require SBOM from suppliers
Include a requirement in the procurement documentation that suppliers shall provide a detailed SBOM. This ensures that all bidders are aware of the importance of transparency and security from the start.
-
Review SBOMs regularly
It's not enough to just request an SBOM. Regular review of SBOMs helps ensure that no new vulnerabilities have appeared in the supply chain. Automated tools can facilitate this process by continuously scanning SBOMs for new security risks.
-
Ensure compliance
Use the SBOM to verify that suppliers meet all relevant laws and regulations. This can include checking licenses, security standards, and other specific requirements placed on the public sector.
Challenges and solutions
Implementing SBOM in public procurement may face certain challenges, such as suppliers' adaptation to new requirements and handling large amounts of data. To overcome these barriers, organizations can:
-
Provide clear guidelines and support
Help suppliers understand how to create and deliver SBOMs by offering clear instructions and recommending specific tools like CycloneDX or SPDX.
-
Use automated tools
Tools like SBOM Observer can streamline the management and analysis of SBOMs, making it easier to keep information current and accurate.
The future of SBOM in public procurement
SBOM will likely become a standard part of public procurement going forward. With the increasing digitalization of socially important services, it becomes increasingly important to have a transparent and secure software landscape.
By continuing to integrate SBOM into the procurement process, public organizations can not only improve security but also promote a culture of responsibility and transparency throughout the entire supply chain.