Hi All,
MITRE Corporation under contract with the U.S. Food and Drug Administration just published Data Normalization Challenges and Mitigations in Software Bill of Materials Processing.
This white paper is directed to medical device sector stakeholders discussing considerations of data normalization for producing SBOMs, SBOM ingestion at scale, and related issues.
1.1 Approach
MITRE conducted a landscape analysis to understand the data normalization challenges in generating SBOMs and identify potential mitigations.
MITRE reviewed the products developed by the National Telecommunications and Infrastructure Administration (NTIA) and Cybersecurity and Infrastructure Security Agency (CISA) community-led initiatives to define SBOMS and how they are generated and used.
MITRE also conducted interviews with a broad sample of stakeholders, including CISA, the U.S. Food and Drug Administration (FDA), large Medical Device Manufacturers (MDMs), small MDMs, MDM trade associations, cybersecurity and regulatory consultants, participants in SBOM standardization efforts, and SBOM tool vendors.
In addition, we surveyed the underlying technical infrastructure. We reviewed the specifications of the two widely used SBOM standards, Software Package Data Exchange (SPDX) and CycloneDX and standards that may be used in creating CycloneDX3 SBOM content, such as Common Platform Enumeration (CPE) and Package Uniform Resource Locator (PURL) for unique identifiers, and Semantic Versioning for component version. We examined the SBOM tools listed at the SPDX2 and websites to categorize the tools and their capabilities. We also reviewed approaches to data normalization used in various technologies, including databases and data science.
------------------------------
Michael Roza CPA, CISA, CIA, CC, CCSKv5, CCZTv1, MBA, EMBA, CSA
------------------------------