Press Release

CISA Releases Hardware Bill of Materials Framework (HBOM) for Supply Chain Risk Management (SCRM)  


WASHINGTON - Today, the Cybersecurity and Infrastructure Security Agency (CISA) released the new Hardware Bill of Materials Framework (HBOM) for Supply Chain Risk Management product from the Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) Task Force.  

“The HBOM Framework offers a consistent and repeatable way for vendors and purchasers to communicate about hardware components, enabling effective risk assessment and mitigation in the supply chain. With standardized naming, comprehensive information, and clear guidance, organizations can safeguard against economic and security risks, enhancing overall resilience,” said CISA National Risk Management Center Assistant Director and ICT SCRM Task Force Co-Chair Mona Harrington. “By enhancing transparency and traceability through HBOM, stakeholders can identify and address potential risks within the supply chain, ensuring that the digital landscape remains robust and secure against emerging threats and challenges.” 

The HBOM product provides a framework that includes a consistent naming methodology for attributes of components, a format for identifying and providing information about the different types of components, and guidance of what HBOM information is appropriate depending on the purpose for which the HBOM will be used. 

The framework has several key components:  

  • Use Case Categories (Appendix A): Provides a range of potential use cases that purchasers may have for HBOMs, based on the nature of the risk the purchaser seeks to evaluate. 
  • Format of HBOMs (Appendix B): Framework sets forth a format that can be used to ensure consistency across HBOMs and to increase the ease with which HBOMs can be produced and used. 
  • Data Field Taxonomy (Appendix C): Provides a taxonomy of component/input attributes that, depending on the use for which the purchaser intends to use an HBOM, may be appropriate to include in an HBOM. 

“This methodology gives organizations a useful tool to evaluate supply chain risks with a consistent and predictable structure for a variety of use cases” said John Miller, Senior Vice President of Policy and General Counsel at Information Technology Industry Council (ITI) and ICT SCRM Task Force Co-Chair. The product was developed by the ICT SCRM Task Force’s HBOM Working Group, which includes subject matter experts from a diverse set of private and public sector organizations.  

"This resource plays a vital role in adopting proactive approaches to mitigate risks effectively," said Robert Mayer, Senior Vice President of Cybersecurity and Innovation at US Telecom and ICT SCRM Task Force Co-Chair.  

For more information, please visit: ICT Supply Chain Risk Management Task Force.