CISA task force aims to improve supply chain security with new hardware standards

studio-fi/Getty Images

The Hardware Bill of Materials Framework looks to standardize how vendors and customers communicate about the capabilities and use of hardware systems.

The Cybersecurity and Infrastructure Security Agency released a new framework to help standardize how technology hardware vendors communicate their purchases with customers to further mitigate risks in the systems that make up the U.S. supply chain.

Developed by the Information and Communications Technology Supply Chain Risk Management Task Force within CISA, the new Hardware Bill of Materials Framework is intended to be used by customers and suppliers within the hardware technology industry to better understand technological interoperability through more codified standards.

This encompasses consistent component naming and defined use cases for hardwares working within supply chains. 

“The HBOM Framework offers a consistent and repeatable way for vendors and purchasers to communicate about hardware components, enabling effective risk assessment and mitigation in the supply chain,” said CISA National Risk Management Center Assistant Director and ICT SCRM Task Force Co-Chair Mona Harrington in prepared remarks. “With standardized naming, comprehensive information and clear guidance, organizations can safeguard against economic and security risks, enhancing overall resilience.”

The goal of standardizing hardware use cases and definitions is to further fortify cybersecurity in U.S supply chains. By understanding ideal use cases for common technologies and uniting them within a single moniker, CISA and the ICT Task Force aim to prevent the inappropriate and faulty use of hardware in certain operations. 

Three use case categories were outlined in the framework: compliance, security and availability. With this common lexicon, suppliers and purchasers will ideally be able to communicate more efficiently about the specific systems needed for secure supply chain operations. 

“This methodology gives organizations a useful tool to evaluate supply chain risks with a consistent and predictable structure for a variety of use cases” said John Miller, the ICT Task Force co-chair and the senior vice president of policy and general counsel at the Information Technology Industry Council. “The product was developed by the ICT SCRM Task Force’s HBOM Working Group, which includes subject matter experts from a diverse set of private and public sector organizations.”

Like CISA’s other technological frameworks, the Hardware Bill of Materials is voluntary. However, the framework’s coauthors stress the benefits of a unified approach to incorporating hardware devices into U.S. supply chain processes absent broad mandatory guidance. 

“This resource plays a vital role in adopting proactive approaches to mitigate risks effectively," said Robert Mayer, fellow ICT Task Force co-chair and senior vice president of Cybersecurity and Innovation at USTelecom.