July 28, 2023
The Ministry of Economy, Trade and Industry (METI) focused on a “Software Bill of Materials (SBOM),” a list of software components, as one of the methods for software management to ensure the security of software, to which threats are rapidly growing as software supply chains become more and more complex, and it has been holding discussions to encourage companies to utilize SBOM. METI hereby announces that it has formulated a guide mainly targeting software suppliers as a compilation of the advantages of introducing SBOM to companies and the key points that companies should recognize and conduct in actually introducing SBOM.
METI expects that the dissemination of the guide may encourage more and more companies to introduce SBOM and that this will enable these companies to appropriately manage software, including shortening the period of time before taking the first response to the vulnerability of software and reducing management cost, and thereby to improve their development productivity. Moreover, it also expects that the guide may help industrial players to improve their cybersecurity performance.
1. Background and purpose
In recent years, the importance of software in industries has been growing as the servitization of industrial activities is progressing. Specifically, the introduction of software has been advancing even to control industrial machinery, automobiles, and other devices. In addition, concerning IoT equipment and services, and 5G technology, companies are likely to use software to embed a variety of functions in hardware systems already established by using general-purpose equipment, expecting the creation of a variety of added value. As in these examples, a growing number of companies have been making use of software, including open source software (OSS).
While companies have been advancing the integration of cyberspace and physical space as mentioned above, they are facing growing security threats to their software, such as the serious impact of software vulnerability to company management. To address this, it is important for companies to appropriately manage software in order to strengthen their own security. However, as software supply chains are becoming more complex and the utilization of OSS is becoming popular, companies are facing a challenge, i.e., difficulty in ascertaining the details or components of software even though the software is applied to their own products.
Regarding the management of software vulnerability as above, a Software Bill of Materials or SBOM, which is also called a “list of software components,” attracts companies’ attention as one of the methods to solve challenges that both software development organizations and software user organizations face. Looking at the United States, an action under the Executive Order to fortify the measure for security in software supply chains, including SBOM in federal government organizations, has been progressing. In addition, the QUAD (Quadrilateral Security Dialogue） released joint principles that show policies for the safe development, procurement, and operation of software to ensure the security of software procured by the government. The principles uphold the appropriate management of detailed information on software components, including SBOM, and information on the supply chains of such components.
METI established a “Task Force for Evaluating Software Management Methods, etc. toward Ensuring Cyber/Physical Security under the Cross-sectoral Sub-Working Group of the Study Group for Industrial Cybersecurity's Working Group 1.” The Task Force held demonstration tests and discussions on the utilization of SBOM and other efforts, bringing together experts and stakeholders of industrial associations in a variety of fields, and it compiled the results into “Guide of Introduction of Software Bill of Materials (SBOM) for Software Management” mainly targeting software suppliers.
2. Outline of the guide
The guide provides basic information on SBOM, including advantages of introducing SBOM to companies, and misunderstandings and facts about SBOM, and it also offers phase-by-phase key points that companies should recognize and conduct in actually introducing SBOM, namely [i] Environment and system development phase, [ii] SBOM production and sharing phase, and [iii] SBOM use and management Phase.
The guide mainly targets software suppliers engaging in packaged software and embedded software as its readers. As a matter of course, user companies that procure and utilize software can also make use of this guide. Specifically, the guide would be helpful for organizations that face challenges in the management of software vulnerability and those that are aware of the term “SBOM” and the need for introducing SBOM to them but do not ascertain specific advantages of such introduction or how to introduce SBOM when such organizations take into consideration the introduction of SBOM as one of the methods for managing software.
- Guide of Introduction of Software Bill of Materials (SBOM) for Software Management Ver.1.0 (in Japanese)(PDF:2,385KB)
- Summary of the Guide of Introduction of Software Bill of Materials (SBOM) for Software Management (in Japanese)(PDF:849KB)
- Appendix (checklist) to the Guide of Introduction of Software Bill of Materials (SBOM) for Software Management (in Japanese)(Excel:12KB)
- Task Force for Evaluating Software Management Methods, etc. toward Ensuring Cyber/Physical Security (in Japanese)
- Collection of Use Case Examples Regarding Management Methods for Utilizing OSS and Ensuring Its Security (in Japanese)(PDF:11,252KB)
Division in Charge
Cybersecurity Division, Commerce and Information Policy Bureau