Despite the SBOM’s conceptual attractiveness as a simple tool for spotting potentially problematic software components, its value is still too limited to be helpful. “What I’m seeing is that SBOM is too nascent for department and agency proactive use,” Rebecca McWhite, cyber supply chain risk management technical Lead at NIST, said during the CISA conference.

Creating and updating software asset inventories is imperative

“I think the one area I’d say I’m pretty pessimistic about is SBOMs, which are probably the lowest priority thing in this whole space that I would recommend,” Lorenc said. “I think CISA has done a pretty good job explaining what benefits they do have, but for some reason, a lot of folks just latch on to SBOMs as this magical solution that will fix all of these issues.”

Lorenc thinks SBOMs should be a lower priority over more critical tasks, such as creating and updating software asset inventories, which he believes all too few organizations do well. “If you don’t even know what systems you’re running, it doesn’t make sense to query SBOMs for what’s inside those systems. And unless you have very, very, very good asset management in place, then SBOMs aren’t going to add much to your incident reporting.”