Lucent Sky AVM for NTIA minimum elements for an SBOM

2022/4/14 |

The U.S. Presidential Executive Order on Improving the Nation's Cybersecurity (14028), released on May 12, 2021, calls for sweeping improvements to modernize Federal Government cybersecurity and enhance software supply chain security. One of the items that they are requiring is a Software Bill of Materials (SBOM). The National Telecommunications and Information Administration (NTIA), directed by the executive order, published a report The Minimum Elements For a Software Bill of Materials (SBOM) on July 12, 2021. The minimum required elements of a SBOM include seven specific data fields.

XML reports generated by Lucent Sky AVM version 2203 MR include these seven fields and help organizations achieve compliance with the executive order.

Mapping NTIA fields to Lucent Sky AVM XML reports

The following table provides mapping between NTIA fields and Lucent Sky AVM XML reports.

NTIA field NTIA description Lucent Sky AVM XML report
Supplier Name The name of an entity that creates, defines, and identifies components /report/file/dependency/@Vendor
Component Name Designation assigned to a unit of software defined by the original supplier /report/file/dependency/@Name
Version of the Component Identifier used by the supplier to specify a change in software from a previously identified version /report/file/dependency/@Version
Other Unique Identifiers Other identifiers that are used to identify a component, or serve as a look-up key for relevant databases /report/file/@Hash
Dependency Relationship Characterizing the relationship that an upstream component X is included in software Y /report/scan/@ProjectName
Author of SBOM Data The name of the entity that creates the SBOM data for this component /report/scan/@ReportAgent
Timestamp Record of the date and time of the SBOM data assembly /report/scan/@Time

Lucent Sky AVM also digitally signs each XML report using the XMLDSIG standard to protect its integrity. Stakeholders and auditors can verify that the report was not altered after it was signed using Lucent Sky Report Validation.