Read the Day 1 Write-Up First

SBOM-a-Rama, Day 2

Short note

These are my notes. As such, they may be incomplete and inaccurate at times. If you feel I misrepresented a speaker or a topic, please reach out to me to collaborate on improving this article. I was also trying to participate in some of the chats simultaneously, so I could not take a complete set of notes for the latter part of the event. I intend to relisten to the later portions of the event and write more about it once the videos are available.


The NTIA cycle concludes, and the torch is now passing to CISA. The current working groups organized via NTIA will publish the last documents. Allan will continue pushing forward this effort under the CISA banner.

Yu INOSE, Deputy Director of Cybersecurity Division, METI (Japan)

The initial focus is on Risk management in energy.

Various cross-sector working groups are organized in the CPSF model and translated into English (contact Yu you cannot find it).

While OSS becomes common, companies face challenges related to OSS.

  • License Management
  • Vulnerabilities
  • Supply Chain

It is practical to share the best practices of OSS management. CPSF gathered policies from 15 companies. These are also available for review.

SBOM is not common yet. There are obstacles to implementation:

  • Cost of implementation
  • Lack of uniformity in software IDs

A POC named garden is being used to validate ideas. The group aims to publish a report by March. It is looking for identifying the benefits and costs.

Tentative findings:

  • The SBOM accuracy matters
  • [missed, sorry]

Japan will discuss the effective ways to use SBOMs and expand the POC’s scope.


There was a long brainstorming session. CISA will create working groups in given buckets on a variety of topics.

At the minimum, we’ll likely see:

  • Cloud
  • Data Management
  • Tooling
  • On-Ramps (education, outreach, etc)
  • Sharing and Exchange
  • Technical Implementations
  • Firmware and Embedded