Enhancing Cyber Supply Chain Risk Management with the HBOM Framework

Article

With the rising number of global regulatory acts and the increasing complexity of supply chains due to foreign ownership and national security concerns, it’s crucial for organizations to take a proactive posture when managing supply chain risks. Understanding the components that make up the products in your supply chain — both software and hardware — is central to this task.

This article looks at the Hardware Bill of Materials (HBOM) framework developed through the Cybersecurity and Infrastructure Security Agency (CISA) and its importance in enhancing cyber supply chain risk management (C-SCRM) and managing compliance. You’ll also discover how HBOMs can be effectively leveraged in categories such as compliance, security and availability to mitigate supply chain risks and build resilience in the face of unpredictable global events.

Table of Contents

What Is a Hardware Bill of Materials (HBOM)?

The Hardware Bill of Materials (HBOM) is a standardized tool developed by the Hardware Bill of Materials Working Group (HBOM WG), under the guidance of the Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) Task Force. The primary purpose of an HBOM is to provide transparency within supply chains through an established framework, particularly in the ICT sector. This transparency allows procurement and supply chain leaders to evaluate and manage the inherent risks in their supply chain more effectively, and the framework itself is designed to be both consistent and repeatable in application.

An HBOM, as defined by the framework, is a systematic structure comprising clearly defined data fields that outline the components of a hardware product and its attributes. It enables organizations, both governmental and industry-based, to identify potential economic and security risks associated with equipment components that may be compromised, untrusted and subject to availability risks. The HBOM can also be used to ensure compliance with legal requirements, such as regulations that prohibit the use of components created through forced labor.

“By enhancing transparency and traceability through HBOM, stakeholders can identify and address potential risks within the supply chain, ensuring that the digital landscape remains robust and secure against emerging threats and challenges,” said Mona Harrington, Assistant Director of the CISA National Risk Management Center and Co-Chair of the ICT SCRM Task Force.

With the rising number of cybersecurity threats and growing concerns about sustainability, it is critical for supply chain leaders, compliance teams and governmental agencies to use the HBOM framework alongside other evaluation measures, such as sending suppliers questionnaires about their cybersecurity practices and requesting Software Bill of Materials (SBOM) information, to gain a comprehensive understanding of supply chain risks and to aid in the process of building a resilient supply chain.

“This resource plays a vital role in adopting proactive approaches to mitigate risks effectively,” said Robert Mayer, Co-Chair of the ICT Task Force and Senior Vice President of Cybersecurity and Innovation at USTelecom.

How HBOMs and SBOMs Contribute to C-SCRM Efforts

The 2021 Cybersecurity Executive Order 14028 was created by the Biden administration to combat attacks against government agencies, critical infrastructure and corporations — as well as foster cooperation between the U.S. government and the private sector — to better mitigate cybersecurity threats. It mandated the necessity of SBOMs in federal procurement processes, making it clear that SBOMs play a pivotal role in the nation’s cybersecurity. Their ability to reveal important information, such as end-of-life fragilities and the number of people maintaining software code for a product, cements SBOMs as a crucial contributor to the overall information needed by procurement leaders to identify and evaluate their overall supply chain risks.

The HBOM framework was designed to complement cyber supply chain risk management (C-SCRM) efforts by ensuring consistency with other frameworks that help to provide SBOM information, such as CycloneDX and SPDX (Software Package Data Exchange). While SBOM data can help to identify vulnerabilities within software applications, HBOMs can provide multi-level visibility into hardware components, such as assembly processes and breakdowns of raw materials. Having a complete overview of this information can help to uncover supplier tiers that may be hidden further along a supply chain. This, in turn, provides visibility for supply chain and procurement leaders to make informed decisions on whether to purchase or continue using a particular supplier or product part.

“The HBOM can help with counterfeit checking, country of origin concerns, and identifying aging components,” said John Scott, SVP for Proactive Intelligence and Software Supply Chain Intelligence at Exiger. “You’ll get a much better idea of what you actually have within a given hardware product.”

Leveraging the HBOM Framework to Mitigate Supply Chain Risk

The HBOM framework provides not only a consistent naming and formatting methodology for component attributes, but also guidance on what HBOM information is appropriate for specific use cases. This can help procurement leaders and compliance personnel identify potential supply chain risk in the following categories:

Compliance

When it comes to compliance with sanctions and other global regulatory acts, knowing who the manufacturer of a product is and where they’re located may not suffice. This is where the HBOM can help procurement and supply chain leaders gain a deeper level of insight into a product’s supply chain by illuminating product and component-level details and impacts.

Determining ultimate beneficial ownership and control is one of the most challenging aspects of sanctions risk management, and heightened regulatory vigilance on companies to ensure that they are not conducting business — whether directly or indirectly — with sanctioned entities places additional pressure on corporations to conduct due diligence. Additional complications arise when sanctioned parties attempt to evade sanctions through the use of middlemen. Requesting HBOMs from suppliers can help to minimize these compliance risks, as the information required for any product, kit or assembly can be broken down into lesser components — which may, in turn, uncover possible hidden tiers and information in your supply chain.   

Compliance may also extend to industry or customer-specific requirements, such as annual supply chain assessment requests, as well as internal and product-specific requirements for quality control purposes. The HBOM framework can make this easier, as it aims to set forth a reliable and predictable structure for HBOMs and a set of clearly defined data fields of HBOM components.

Security

Foreign Ownership, Control or Influence (FOCI) risk has become more than a national security concern, as many business corporations and government agencies are facing the challenge of having to assess and monitor their exposure to sabotage, espionage and other potential interference efforts from foreign adversaries. For instance, the U.S. government has designated China as a major threat due to their supply chain dominance, economic coercion and connection to a significant number of cyberattacks.

Being able to identify untrusted or compromised suppliers and infrastructure in your supply chain is crucial when it comes to minimizing long-term FOCI and cybersecurity risks. Recently, a security firm detected a supply chain attack carried out by a hacker group with links to China. With the U.S. being the top destination for Chinese shipments containing electrical machinery and equipment, it comes as no surprise that counterfeit goods from China are also a major ongoing concern. Leveraging both the SBOM and HBOM frameworks can help organizations in high-risk sectors, such as ICT and critical infrastructure, assess and mitigate supply chain security risks such as these.

Availability

World events, such as the COVID-19 global pandemic, or a lack of supply chain diversification can result in key product or component shortages. Proactive efforts, such as conducting spot checks or requesting HBOMs from suppliers during the negotiation or renewal stage, can help to prevent procurement risks such as unnecessary delays and additional costs due to disruption in the production line. Failing to conduct due diligence or neglecting to ensure that vendors have appropriate ESG standards in place may also result in long-term repercussions such as costly fines of up to 2% of total revenue, reputational damage and a loss of market share.

Build Supply Chain Resilience with a Comprehensive C-SCRM Solution

Being able to identify untrusted or compromised third-party suppliers and product components in your supply chain goes a long way when it comes to mitigating cybersecurity and compliance risks, especially for organizations in high-risk sectors such as ICT or critical infrastructure.

Utilizing the HBOM framework in conjunction with the 1Exiger platform can help to illuminate every dimension of your supply chain. With U.S. federal regulations like EO 14028 enforcing the need for organizations to improve their cybersecurity measures, HBOMs can help to close data gaps in your supply chain by revealing structured bill-of-material information about the parts, materials and manufacturing processes — including Outside Special Processes (OSPs) — that go into your end products or equipment.    

However, relying on others to conduct due diligence is risky, as your suppliers may not have complete visibility into their own supply chain. When it comes to mitigating cybersecurity and compliance risks, it’s important to have a supply chain solution that delivers reliable, structured information about the raw materials and processes that go into your hardware regardless of where the parts are made — based on the existing technical data you have and the HBOMs provided by your suppliers.  

Good supply chain security relies on comprehensive supply chain visibility. Implementing real-time, continuous monitoring and gaining end-to-end visibility into all levels of the supply chain will help you not only assess and manage risks associated with both software and hardware product components, but also build long-term supply chain resilience and reduce cybersecurity risk.

Other Resources:

Demo The
Exiger Platform