Software Bill of Materials

Exploring a Proof-of-Concept for the Energy Community

The Energy Sector Software Bill Of Materials (SBOM) Proof of Concept (POC) effort is a partnership between DOE CESER and the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) to develop and explore the application of SBOMs within energy sector environments. Using an open, transparent, consensus-based process, this diverse stakeholder group is developing tools, technologies, and use cases to catalyze SBOM adoption by technology vendors and asset owners in the energy sector.

This site highlights the discussions and outcomes of the Energy Sector SBOM POC effort since work began in April 2021.

For more information on SBOM work, visit CISA’s SBOM resources page.

Energy SBOM POC Meetings

The SBOM POC group has met monthly since April 2021 to advance SBOM development in the energy sector and share information with the stakeholder community.

Meeting topics are presented in reverse chronological order below. Click each topic to view a recording of each meeting.

Energy SBOM Information Sessions

Overview of SBOM Energy POC

Framing Software Supply Chain Transparency

Lessons from the Field

Planning a POC for Energy Community

Overview of SBOM Energy POC

January 26, 2021

Provides an overview of the SBOM work across a range of industries and communities during the past several years.

Presentation: An overview of SBOM
Presentation: SBOM use cases for the energy sector
Presentation: Experimenting with SBOM – lessons from the healthcare sector
Presentation: Experimenting with SBOM – early steps in the Automotive sector

Framing Software Supply Chain Transparency

February 18, 2021

Provides a technical deep dive into what an SBOM is, the process for developing SBOMS, and how they are being implemented, including data formats and tools.

Presentation: Technical Overview: Framing and Architecture
Presentation: Technical Overview: Formats and Tooling

Lessons from the Field

March 24, 2021

Offers lessons from the field, including work with DOE’s CyTRICS program, supplier and customer perspectives on SBOMs in the healthcare field, and perspectives from the automotive and IT industries.

Presentation: Medical Device Manufacturer Perspective and Lessons

Planning a POC for Energy Community

April 12, 2021

Explores the SBOM POC effort that later kicked off on April 26, 2021.

Presentation: Exploring a Proof-of-Concept for the Energy Sector

Meeting Materials 2022

Sharing SBOMs

All Hazards Analysis (AHA) VEXing

Discussion of SBOMs at Microsoft and Google

Towards SBOMs in the Nuclear Industry

How to Build SBOM from Binaries

VEX Energy Overview

Debrief of S4 SBOM Exercise

SBOM Transports

Venues for SBOM Discussion

Sharing SBOMs

December 14, 2022

A joint report on DOE-CESER and DHS-CISA collaborations on SBOM research and development.

All Hazards Analysis (AHA) VEXing

October 19, 2022

Michael Hoover demonstrates how to link SBOM and VEX-driven component-level risk analysis with systemic critical interdependency analysis using INL’s All Hazards Analysis tool, (AHA).

Learn More

Discussion of SBOMs at Microsoft and Google

October 19, 2022 Adrian Digilio from Microsoft discusses Microsoft’s Open Source SBOM Tool and Isaac Hepworth from Google discusses Google’s approach to SBOM adoption.

Towards SBOMS in the Nuclear Industry

September 21, 2022 A recording of DOE’s bi-weekly meetings on SBOMs.

How to Build SBOM from Binaries

AUGUST 17, 2022 Using CyTRICS program research to tell a "round-about" story of SBOMs.

VEX Energy Overview

JUNE 15, 2022 An update to VEX vulnerabilities and some tricks for addressing them.

Debrief of S4 SBOM Exercise

May 18, 2022 Discuss exercises and feedback from the S4x22 conference session; CISA working group updates and CycloneDx announcements.

SBOM Transports

March 16, 2022 Energy Sector Software Bill of Materials discussion: survey results of software bill of materials transports.

Venues for SBOM Discussion

FEBRUARY 16, 2022 A review of SBOM’s activities from past year and preview of discussion opportunities and path ahead for 2022.

Meeting Materials 2021

Energy SBOM Retrospective

JuiceBox Demonstration

Healthcare Proof of Concept

SBOM and VEX

SBOM Open Source

Making an SBOM

Use Cases - Part 1

Use Cases - Part 2

Minimum Elements for SBOM

Healthcare Lessons Learned

Brainstorming

Mural Synthesis Work

Energy SBOM POC Charter

Proof of Concept Kickoff, Apr. 26, 2021

Energy SBOM Retrospective

DECEMBER 1, 2021 A retrospective analysis of the past year of Energy SBOM work and brainstorming for the year ahead.

JuiceBox Demonstration

NOVEMBER 17, 2021 A detailed walkthrough of the SBOM elements within the Juicebox open source product.

Healthcare Proof of Concept

NOVEMBER 3, 2021 Cooking Class: Presented by Tim Walsh of the Mayo Clinic

SBOM and VEX

OCTOBER 20, 2021 Cooking Show: Dr. Allan Friedman of CISA explains the concept and importance of the Vulnerabilities Exploitability eXchange (VEX) format, for reporting the status of component vulnerabilities.

SBOM Open Source

OCTOBER 6, 2021 Cooking Class: Thomas Steenbergen of Here.com discusses how the European auto industry is now using SBOMs in the SPDX format.

Making an SBOM

SEPTEMBER 21, 2021 Cooking Class: Steve Springett, leader of the OWASP CycloneDX project, demonstrates how to create an SBOM in that format.

Use Cases

AUGUST 25, 2021 Part 2 - This session will discuss use cases for SBOM.

Use Cases

SEPTEMBER 8, 2021 Part 2 - This session will discuss use cases for SBOM.

Minimum Elements for SBOM

JULY 14, 2021

Additional resources:

Learn More

Healthcare Lessons Learned

JUNE 30, 2021
Cooking Class: Jennings Aske of NY Presbyterian Medical Center and Jim Jacobson of Siemens Healthineers discuss lessons learned in the Healthcare SBOM PoC, which started in 2018 and continues today.

Learn More

Brainstorming

JUNE 16, 2021

Learn More

MURAL Synthesis Work

JUNE 2, 2021

Agenda: To identify specific topics, use cases, and technology gaps the POC would like to focus on in the remainder of the calendar year. We will be using a tool called MURAL to allow the group to work together and we will send an advance copy of the “board” in case there are those for whom this technology will not work.

Learn More

Energy SBOM POC Charter

May 19, 2021

The Project Charter captures high level planning information (scope, deliverables, assumptions, etc.) about the SBOM Proof of Concept effort.

Agenda:

Review draft charter for Energy Sector SBOM POC
Facilitated feedback and discussion around charter and mission
Logistics and organization moving forward

Final Charter PDF

Proof of Concept Kickoff, Apr. 26, 2021

Attendees may be interested in this review of SBOM use cases, and the benefits across the ecosystem. We encourage you to review it before Monday’s meeting: NTIA SBOM Use Cases Roles and Benefits, 2019 [PDF]

Learn More

Additional Resources

NTIA SBOM Resources

CISA SBOM Resources

Illuminating Digital Supply Chain Risk Webinar

NTIA SBOM Resources

The National Telecommunications and Information Administration (NTIA) led an early multi-stakeholder effort to develop informational and technical resources for SBOMs between 2018-2021.

Click Learn More to review these foundational resources.

Learn More

CISA SBOM Resources

The Energy SBOM POC effort is a partnership between DOE CESER and DHS CISA. CISA is leading other SBOM-related efforts that inform and draw from this work.

Click Learn More to review the CISA workstreams and resources.

Learn More

Illuminating Digital Supply Chain Risk Webinar

April 30, 2021

Auburn University’s McCrary Institute hosted a panel discussion on growing policy support for BOMs, implementation challenges, and strategic use cases. Panelists include representatives from DOE, Idaho National Laboratory, NTIA, Unisys, and Microsoft Azure.

Learn More

Sponsor

Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) addresses the emerging threats of tomorrow while protecting the reliable flow of energy to Americans today by improving energy infrastructure security and supporting the Department of Energy’s national security mission. CESER’s focus is preparedness and response activities to natural and man-made threats, while ensuring a stronger, more prosperous, and secure future for the nation.

Participating Organizations

Idaho National Laboratory is a world leader in providing industrial control system (ICS) cybersecurity workforce training and development. The laboratory’s distinctive history in protecting critical infrastructure systems puts the lab at the forefront of thought leadership and applied innovation in critical infrastructure cybersecurity education. INL uses a comprehensive approach to developing ICS cybersecurity training programs that can be tailored to meet the energy sector’s needs identified by the DOE, utilities, and other organizations.

National Telecommunications and Information Administration (NTIA) is the Executive Branch agency that is principally responsible for advising the President on telecommunications and information policy issues. NTIA’s programs and policymaking focus largely on expanding broadband Internet access and adoption in America, expanding the use of spectrum by all users, and ensuring that the Internet remains an engine for continued innovation and economic growth.