METI Jointly Signs International Guidance on a Shared Vision of Software Bill of Materials (SBOM) for Cybersecurity with National Cybersecurity Office (NCO)

1. Background and purpose

In recent years, regarding the management of software vulnerability, SBOM, which is also called a "list of software components," has attracted companies' attention as on method of solving problems faced by both software development organizations and software user organizations. Secure-by-Design is an approach taken by companies to ensure safety in IT products, in particular, software, beginning in the design process. It was formulated by the Cybersecurity and Infrastructure Security Agency (CISA) and jointly signed by the National Cybersecurity Office (formerly known as the National Center of Incident Readiness and Strategy for Cybersecurity (NISC)). In this approach, manufacturers of software are recommended to build and manage SBOM into products so that users can make use of SBOM.

In Japan, METI has been conducting demonstrations and holding discussions on the utilization of SBOM in the Task Force for Evaluating Software Management Methods, toward Ensuring Cyber/Physical Security under the Cross-sectoral Sub-Working Group of the Study Group for Industrial Cybersecurity's Working Group 1 (enhancing effectiveness and international cooperation), bringing together experts and industry associations from various fields. Taking into account the discussions in the task force, METI compiled a list of advantages for companies that introduce SBOM and key points and actions that companies should carry out in introducing SBOM into a guide and released it as the Guide on Introduction of Software Bill of Materials (SBOM) for Software Management ver. 1.0 in July 2023, and ver. 2.0 in August 2024.

Since 2024, under the leadership of METI and the U.S. CISA, we have been working on drafting an international document with the aim of widely and internationally disseminating the importance of utilizing SBOM and developing international joint guidance on the operation of SBOM. The Document is a result of such effort and is guidance that presents the common understanding among countries regarding the importance of utilizing SBOM. Cybersecurity authorities from a total of 15 countries jointly signed the Document, including Japan, the U.S, the Federal Republic of Germany, the French Republic, the Italian Republic, the Kingdom of the Netherlands, Canada, the Commonwealth of Australia, New Zealand, the Republic of India, the Republic of Singapore, the Republic of Korea, the Republic of Poland, the Czech Republic, and the Slovak Republic. NCO and METI participated in jointly signing the Document from Japan.

2. Outline of the Document

The Document targets software developers, procurers, operators, and government agencies in the cybersecurity sector who will benefit from the software ecosystem and the increasing transparency of SBOM data. It includes the following information.

(1) What is an SBOM?

SBOM is a formal record of the component details and supply chain relationships used to build software.

(2) Advantages in introducing SBOM

• Efficient software vulnerability management
• Supply chain risk management (selecting safe software/smooth communication between users and suppliers)
• Improving the software development process
• Efficient software license management

(3) SBOM stakeholders and their benefits

• Software developers: They will be able to select the components that best suit their needs and respond appropriately to vulnerability information.
• Procurers: Transparency of software information enables procurement decisions based on risk information.
• Operators: It will be easier to determine which software should be addressed regarding new vulnerability information.
• Government agencies: It will be possible to improve the security risk management system across the country through the utilization of SBOM in the procurement processes.

(4) The Importance of SBOM in Secure-by-Design

• The utilization of SBOM is consistent with the Secure-by-Design principle, which requires software manufacturers and developers to ensure supply chain transparency and accept accountability.

3. Future plans

The Document is simple guidance presenting the common understanding among countries regarding the importance of utilizing SBOM. METI plans to continue international discussions toward formulating guidance that will provide more specific and technical information.

Related Materials

• A Shared Vision of Software Bill of Materials (SBOM) for Cybersecurity(PDF:807KB)

Related Links

• Joint Signature Leadership Comment (U.S. Cybersecurity and Infrastructure Security Agency (CISA))
• Guidance on Introduction of Software Bill of Materials (SBOM) for Software Management(PDF:3,082KB)
• Revised Guide Formulated on Specific Methods for Managing Software Vulnerability Utilizing "Software Bill of Materials (SBOM)," a List of Software Components, as a Preparatory Guide for Cyberattacks（August 29, 2024）
• "Guide on Introduction of Software Bill of Materials (SBOM) for Software Management" Formulated（July 28, 2023）

Division in Charge

Cybersecurity Division, Commerce and Information Policy Bureau