Home
News Releases
Back Issues
August FY2024
Revised Guide Formulated on Specific Methods for Managing Software Vulnerability Utilizing “Software Bill of Materials (SBOM),” a List of Software Components, as a Preparatory Guide for Cyberattacks

Revised Guide Formulated on Specific Methods for Managing Software Vulnerability Utilizing “Software Bill of Materials (SBOM),” a List of Software Components, as a Preparatory Guide for Cyberattacks

August 29, 2024

In July 2023, the Ministry of Economy, Trade and Industry (METI) formulated a guide, assuming the readers to be both companies that supply software and those that procure software. The guide is a compilation of advantages for companies that introduce SBOM and key points that such companies should recognize and conduct in actually introducing SBOM.

Since this formulation, METI continued to hold discussions on methods according to which all companies, including SMEs, can further efficiently make use of SBOM, and as part of this effort, it opened a call for public comments from April 26 to May 27, 2024. Following this, it formulated a revised version of the guide based on the opinions submitted during the call, and hereby releases the revised guide.

Specifically, the revised guide additionally shows the following points: (1) specific procedures for and approaches to helping companies to effectively utilize SBOM in a series of processes for managing software vulnerability, (2) a framework for helping companies to consider the scope in which they can appropriately introduce SBOM by taking into consideration the effects and costs of the introduction; and (3) certain matters (e.g., requirements, responsibilities, cost bearing, and rights) that should be stipulated about SBOM in contracts to be concluded between companies and subcontractors.

1. Background and purpose

In recent years, regarding the management of software vulnerability, SBOM, which is also called a “list of software components,” has attracted companies’ attention as one of the methods to solve challenges that both software development organizations and software user organizations face. Secure-by-Design is an approach taken by companies to ensuring safety in IT products, in particular, software, from the design process. It was formulated by the Cybersecurity and Infrastructure Security Agency (CISA) and jointly signed by the Government of Japan. In this approach, manufacturers of software are recommended to build and manage SBOM by products so that users can make use of SBOM.

METI has been encouraging companies to make use of SBOM. As part of this effort, it compiled advantages for companies that introduce SBOM and key points that companies should carry out in introducing SBOM into a guide and released it as the Guide of Introduction of Software Bill of Materials (SBOM) for Software Management ver. 1.0 in July 2023.

The Task Force for Evaluating Software Management Methods, etc. toward Ensuring Cyber/Physical Security under the Cross-sectoral Sub-Working Group of the Study Group for Industrial Cybersecurity's Working Group 1 advanced discussions on the methods for helping all companies, including SMEs, to further efficiently make use of SBOM, and then METI opened a call for public comments on the revised version of the guide from April 26 to May 27, 2024. In response, it revised the guide as necessary based on the opinions submitted during the call and formulated the Guide of Introduction of Software Bill of Materials (SBOM) for Software Management ver. 2.0 after having received approval from the Task Force.

2. Outline of the guide ver. 2.0

The guide ver. 2.0 assumes the readers to be both companies that supply software and those that procure software. It includes the following information in addition to the details described in the guide ver. 1.0 released in July 2023.

(1) Approaches to specifying the process for managing vulnerability (Chapter 7)

Companies are expected to make use of SBOM to effectively reduce the risk of software vulnerability through managing such vulnerability. Of the processes in using SBOM, the phase related to vulnerability management is considered particularly important. This chapter presents a compilation of the specific procedures of and approaches to effectively making use of SBOM in a series of processes for managing software vulnerability, thereby providing reference information so that companies can enhance the effectiveness of vulnerability management by making use of SBOM.

(2) Addition of SBOM-compliant model (8. Appendix)

This model shows a framework for helping companies to consider the scope in which they can appropriately introduce SBOM by taking into consideration the effects and costs of the introduction. By their use of the framework, it is expected that software for advanced management, i.e., secure software, will receive appropriate evaluation from markets, thereby facilitating the distribution of the software.

(3) Addition of SBOM-contract model (9. Appendix)

This model focuses on companies placing and receiving orders for software components and provides reference examples of certain matters (e.g., requirements, responsibilities, cost bearing, and rights) that should be stipulated about SBOM in contracts to be concluded between procurers and suppliers.