Why SBOMs are critical to complying with the EU Cyber Resilience Act

‍

With global annual cost of cybercrime topping $6 trillion in 2021, digital products are increasingly under scrutiny for their vulnerability to cyberattacks.

The root of this growing problem stems from our current low cybersecurity standards which permit vulnerabilities to thrive but fail to implement the necessary and recurring security updates to mitigate them. Exacerbating an already grave situation is that users often lack the valuable information that helps them choose more secure products or use them more securely.

To address this, on September 15, 2022, the European Commission published a proposal for adopting regulations on cybersecurity requirements for products with digital elements, also known as the Cyber Resilience Act (CRA).

Pointing to various crippling attacks – including the Wanna Cry ransomware worm that exploited 200,000 computers across 150 countries and the Kaseya VSA supply chain attack that affected over 1,500 organizations – the proposal acknowledges that the expanding and borderless nature of attacks means that a wide, international governmental response is required, more so given the global reach of the software market.  

The CRA aims to establish, regulate, enforce, and harmonize the fundamental security requirements of developing and in-market software throughout their life cycle.

As the EU looks to various bodies to begin developing standards, one major strategy relating to impending reporting obligations stands out: the importance of a software bill of materials (SBOM) in the CRA.

The EU will be expecting due diligence and compliance from manufacturers, developers, and vendors, and SBOMs will be a critical tool to meeting the requirements of the Act.

To help you understand their place in the coming regulatory changes, we’ll take a look at how the CRA relies on SBOMs to achieve its goals, first looking at the overall objectives of the Act.

The objectives of the EU Cyber Resiliency Act

To protect the software supply chain while still ensuring the internal market will function properly, the CRA looks to build the necessary conditions to achieve two main objectives:

‍

1. That manufacturers prioritize security throughout a product’s life cycle so that it comes to market with fewer vulnerabilities;
2. That users can more easily take cybersecurity into account when selecting and using software.

To this end, the Act aims to reach four specific goals:

‍

1. To hold manufacturers accountable for improving software security, starting with design and development and throughout the entire product life cycle;
2. To ensure a cogent and comprehensive cybersecurity framework that is still easy for software producers to comply with;
3. To increase transparency into the range of software’s range of exploitable vulnerabilities and associated security elements;
4. To facilitate the use of secure software for businesses and consumers alike.

SBOMs, front and centre

To achieve these goals, the CRA lays out specific actions and strategies regarding the responsibility and the means to protect software vulnerabilities.

One notable area involves specifying vulnerability reporting format and requirements, anchored in the form of a software bill of materials (SBOM). Briefly, an SBOM tracks and shares metadata details identifying the provenance of software components and supply chain relationships, helping developers, vendor, and users identify, track, mitigate existing and emerging vulnerabilities and risks.

Article 37 of the Regulation first places the responsibility for identifying and logging software provenance with manufacturers, who must guarantee their software does not contain third-party vulnerabilities, including SBOMs as a key document:

In order to facilitate vulnerability analysis, manufacturers should identify and document components contained in the products with digital elements, including by drawing up a software bill of materials.

When the Act more precisely describes the exact means by which to mitigate risk, it includes SBOMs as a specific requirement to do, in Section 2 of Annex 1:

Manufacturers of the products with digital elements shall: (1) identify and document vulnerabilities and components contained in the product, including by drawing up a software bill of materials in a commonly used and machine-readable format covering at the very least the top-level dependencies of the product.

This, however, does not mean that manufacturers are free to draw up any kind of document they want. To better guarantee governmental oversight, Article 63 reserves the power for the EU Commission to “specify the format and elements of the software bill of materials”, as well as any additional information, format, or procedure that notifies stakeholders of vulnerabilities.

Implications of the CRA

One thing is clear from the proposed Regulation: SBOMs are critical to meeting the requirements of the Act and will be a key document to demonstrate and measure compliance.

Failure to comply with essential cybersecurity requirements and/or obligations of responsibility of the CRA will be subject to fines of up to over $15 million.

However, given that the Act is not yet made law and is strictly EU-based, the CRA may seem distant to some. But all software developers and vendors should be wary of complacency or inaction, because not only will the Act likely be passed soon, it will affect any piece of software sold or used in Europe.

That means the time is ripe to begin shifting your security paradigm to the new regulatory reality. Implementing an SBOM management strategy right now, and adopting the tools to do so effectively, will help businesses build the processes they ’ll need to have in place when the CRA soon becomes law, the muscle to hit the ground running.

Having a head start is especially crucial when it comes to compliance. If you’re behind the curve, you’re more likely to struggle adapting to the new regulations and risk incurring major fines and a tarnished industry reputation. Worse, however, is that you’ll be blind to the growing number of increasingly sophisticated cyberattacks targeting and exploiting software vulnerabilities that, without the right SBOM management platform, would remain unseen.

As the leading, most comprehensive SBOM management solution, Cybeats SBOM Studio collects, stores and distribute SBOMs at scale, continuously monitoring and tracking your software’s provenance to detect potential vulnerabilities that lead to autonomous intrusions.

With single-pane visibility into your software supply chain, Cybeats SBOM Studio helps you develop deeper insights and clearer transparency into the security and certainty of your software components. Not only does this better assess and mitigate risk but, with the CRA barreling towards you, will help you prove compliance and meet the requirements of the Act, shoring up your position to scale and compete in the new software environment.

‍