1、ISO/IECINTERNATIONA1.27036-3STANDARDeditionSecond2023-06CybersecuritySupp1.ierre1.ationships一i1.inesforhardware,software,andservicessupp1.ychainsecurityCybersecuriteRe1.ationsavecIefournisseurPartie3:1.ignesdirectricespourIas6cuht6de1.acha1.nedefournitreenmaterie1.,Iogicie1.setserxficesReferencenumb
2、erISO/IEC27036-3:2023(E)ISO/IEC2023COPYRIGHTPROTECTEDDOCUMENTIS0/1EC2023IUirhM*hedbdi1.iUedotherwiseupdhi.or啪UIBndttaeDmkfifiU81.andonnet8CH-1214Vernier,GenevaPhone:M1.22749O1.11觥ftte:丽丽BQrgPub1.ishedinSwitzer1.andISO/IEC2023-A1.1.rightsreservedb) deve1.opprocessesIOSoftWareappropriate,practicesnon-
3、invasiveorigina1.equipmentmanufacturerc) AttemptIestsdetectCounterfeitandproductintrusionsinc1.uding:deve1.opmentandoperationsphases.providedbythesupp1.ier,thirdparties,ortheacquirer(e.g.manua1.codeinspections).3)conductvu1.nerabi1.ityscans;e)ana1.ysis,dynamicassessmentana1.ysis,verificationusingana
4、1.ysis,codecoveragetechniquessuchasstaticCOdeg)executetoo1.stogatherevidenceofchangesresu1.tingfromremotemaintenanceactivities.1.4.12 OperationprocessISO/IEC/IEEE15288).a)indudemaintenanceSysteminintegrationoperationa1.requirements;activitiesaspartoftheupgradesecurityrequirementsinoperations.C)shipe
5、1.ements*,securedbydefau1.tata1.eve1.appropriatetoacquirersrequirements.1.4.13 Maintenanceprocessprovidetoproductthecapabi1.ityOfappropriate1.yandnianaginghardware,hardware.SoftWare,componentstorisksinhardware,software,andservicessupp1.ychain:c) UorKfidbh:石dvancePUriHuIhZsH1.显地tttaxeddktu1.sfnigq2d1
6、itsauhitote1.accudd由auaiaHcandd) considertherisksthattrainedandknow1.edgeab1.eauthorizedservicepersonne1.arenotavai1.ab1.e,especia1.1.y1.ateinthee1.ements1.ife;e) considerhardware,software,andservicessupp1.ychainriskswhenacquiringrep1.acementcomponentsorfie1.dadditions/mOdificatiOnS/upgrades,particu
7、1.ar1.yiftheydonotgothroughtraditiona1.acquisitionprocessesthatexaminesupp1.ychainrisks;f) preferforma1.izedSerViCe/maintenanceagreements)wherepossib1.ee.g.usespecifiedorqua1.ifiedsparepartssupp1.iers,provideacomp1.eterecordofchangesperformedduringmaintenance(e.g.audittrai1.orchange1.og),reviewchang
8、esmadeduringmaintenance;g) estab1.ishandimp1.ementagreementsforcompetentandsuitab1.esupportinc1.udingrefurbishedand/orsa1.vagede1.ements;considerrequiringtheorigina1.manufacturertocertifytheequipmentassuitab1.e;h) identifymethodsofverifyingthatservicepersonne1.areauthenticatedandauthorizedtoperformt
9、heserviceworkneededatthetime,aswe1.1.asvisitormanagementprotoco1.sforandmonitoringofservicepersonne1.whenundertakingmaintenanceon-site(e.g.visitorescorts);i) deve1.opandimp1.ementanapproachforhand1.ingandprocessingreportedhardware,software,andservicessupp1.ychainanoma1.ieswhi1.einoperation;estab1.is
10、hamethodforsubmittingaservicerequestandsecure1.ysharing1.oganderrorinformationwithsupp1.iers;j) monitorthesupp1.iersbusinesshea1.th,inc1.udingwhethertheyareacandidateformergerandacquisitionorinfinancia1.difficu1.ties;k) imp1.ementandenforcepo1.iciesonsoftwareupdatesandpatchmanagement;l) estab1.ishan
11、adequatesupp1.yoftnstedspareandmaintenancepartsforwe1.1.beyondthe1.ifespanofthee1.ement;m) preservedocumentationforanyin-ser,icee1.ementthatisno1.ongersupportedbythesupp1.ier;n)estab1.ishprocessesforpurchasingoffau1.tye1.ementsthatcannotbesecure1.yerasedthatwou1.dctherwisegobacktothesupp1.ier(e.g.af
12、au1.tyharddrive)tosecure1.yphysica1.1.ydestroy.KKi做WPrOC晔VideSadditiona1.specificguidanceregardingsettingexpectationsduringthe6.4.14Disposa1.processThepurposeofthedisposa1.processinthehardware,software,andservicessupp1.ychainistoend帆BiDtiaIefyOfh出由UwaNaCeaVVarethnIdHem*cs.aa必(nier1.ytttemiMKfepidati
13、Cidindtica1.ntendUddiSPnSa1.needs(egperanagreement,organizationa1.po1.icy,orenvironmenta1.,1.ega1.,safety,securityaspects).SeeISO/IEC/IEEE15288forfurtherinformation.丽Pg限网ich磴圈gJ轴咕M丽别豳IMrShOU1.d呢岫MIMee网曲O1.IOwft谕电成延场he1.ecti啕icdisposa1.processtoaddressinformationsecurityrisksinhardware,software,andse
14、rvicessupp1.ychain,specifica1.1.ytheriskofcounterfeitproductscontaminatingthesupp1.ychain:a)OfP快幽阴雨的瓯W三由因re1.qM弹豳胧阁toreducerisksofcompromise,forexamp1.e,b)encouragethese1.ectionofe1.ementsthatcanbedisposedofinawaythatdoesnotexposeprotectedore1.ementsthatMfi)FR版用电晒热ents触Obsa1.permitoff1.oadingofdatap
15、riortodisposa1.24ISO/IEC2023-A)rightsreservedC)PnQhfiIibriZedtnmS【mas网1.iftuii例rfcutiondUrEgdisjttdaiHv3cdataorsensitivee1.ementstod) whenrequiredforforensicinvestigationorfor1.atercomparisonfordetectionofcounterfeits,storee1.ementsfordisposa1.toadedicatedrepositoryandmaintainthechainofcustody;e) im
16、p1.ementproceduresforthesecureandpermanentdestructionofe1.ements,suchasusingcertifieddestructionprovidersandreceivingacertificateofdestructionaftertheacquirersinformationhasbeensecure1.ydisposed;f) engagetrustworthy,traineddisposa1.servicepersonne1.andsetexpectationsfortheproceduresthatconformtothed
17、isposa1.po1.icy;verifythroughassessmentsthattheproceduresarebeingfo1.1.owed.ISO/IEC27002providesadditiona1.specificguidanceregardingsettingexpectationsduringthedisposa1.process.25AnnexA(informative)Correspondencebetweenthecontro1.sinISO/IEC27002andthisdocumentTab1.eA.1.docmentshowsthecorrespondenceb
18、etweenthecontro1.scontainedinISO/IEC27002andthisTab1.eA.1.Correspondencebetweencontro1.sinISO/IEC27002andthisdocumentISO/IEC27002:2022subc1.ausenumberISO/IEC27002:2022contro1.sSubc1.ausenumberfromthisdocumentISO/IEC27036-2subdauseheadingdg,SecUresystemneeringprindp1.esarchitectureandengi-625Qua1.ity
19、managementprocess26ISO/IEC2023-A1.1.rightsreservedTab1.e.1.(continued)ISOIEC27002:2022subc1.ausenumberISO/IEC27002:2022contro1.sSubchuscnumberfromthisdocumentISO/IEC27036-2Siibc1.auseheading0-04Separationofdeve1.opment.productionenvironmentstestand6A7Imp1.ementationprocess27Tab1.e.1.(continued)ISO/I
20、EC27002:2022subc1.ausenumberISO/IEC27002:2022contro1.sSubc1.auscnumberfromthisdocumentISO/IEC27036-2subc1.auseheading7.13Equipmentmaintenance6.4.13Maintenanceprocess7.14Securedisposa1.orre-useofequipment6.4.14Disposa1.process28toanentitythatcreates,who1.1.yorinpart,modifies,ordistributessoftwarefort
21、hepurposeofitsintentsupp1.iers.ManySOftWaresupp1.iersareusersorconsumersofupstreamsoftwarecomponents.29(informative)5.8recommendsandenumeratesactivitiesthatensureanup-to-dateinventoryofassetsusedwithinofsupp1.ytheproductservice.This1.eve1.ofbefurtherdetai1.tohe1.ppartsmanageriskandcomp1.iancerequire
22、mentsinareassuchasinte1.1.ectua1.propertyand1.icencemanagement(1SOIEC27002:2022,5.32)andtechnica1.vu1.nerabi1.ities(1SOIEC27002:2022.8.8)amongothers.Thisannexdescribese1.ementsthataretheCreation,referredtoasandbi1.1.software(SBoM)orSOftWarecomponentinventory(SCI).Throughoutthisannex,theseconceptsare
23、referredtoasSBoM.AnorganizationproducingorrequestingSBoMshou1.dconsu1.tthisannextohe1.pdeterminethequa1.ityTheSBoMconceptwasdeve1.opedtoprovideconsumerswithinformationonspecificsoftwarecomponentsintheirproductstoenab1.econsumersabi1.itytoidentifyandmanagevu1.nerabi1.ities.Thisconceptanditsfordown1.o
24、adSBoMproducts,notmanagedservices.Anconsistentcomponentre1.ationshipsovertime.SuchSBoMsdonotfitthemode1.ofmanagedservicesinvo1.vingmu1.tip1.eserversmanagedbymu1.tip1.esupp1.ierswithsoftwarethatisfrequent1.yupdated.Thisisasaofofthefactthatonpossib1.ydifferentservers,whoseminutecanbebeprocessedbytwoof
25、eachotherin1.ime.Giventhat,themanagedservicesana1.ogueoftheon-premiseSBoMshou1.daccommodateacontinuous1.yevo1.vingcomponent1.istassociatedwitheachsupportedtransaction.Thus,formanagedTheSBoMisnotitse1.fariskmanagementtoo1.oractivity.TheSBoMisintendedtobeahigh1.ysca1.ab1.emechanismtoproduceandmaintain
26、accuratesoftwarecomponentinventories.TheseinventoriesthenInordertosca1.e,SBoMdataandprocessesshou1.dbemachinereadab1.eandprocessab1.e.Severa1.we1.1.-definedandestab1.ishedSBoMdocumentanddataformatsexist.SBoMandsoftwareanddifferenttypesareinactiveuse,howeverthisusevariesSBoMisunderactivedeve1.opmenta
27、ndthisannexisintendedtoprovidebasicandintroductoryinformationaboutSBoMtosupp1.iersandSBoMconsumers.Thisannexisprimari1.yintendedforusebysoftwaresupp1.iersandSBoMauthors.ASoftWaresupp1.ierisbeusedbyotherparties.ConsumersofSBoMinformationinc1.udeendusers,customers,auditors,regu1.ators,po1.icymakers,an
28、dTherearcdifferencesbetweenon-premises,product-orientedsoftwarecomponentsandc1.oudservices.Theaccurateinventoryandsupp1.ychainknow1.edgeareimportanttobothmode1.s,buttherapidd8bn*dtariuu1.b1.so1.utionscannecessitatevariancesintheinformationandprocessesrequiredforB.2Essentia1.SBoMe1.ements8.2.1 Overvi
29、ewThefo1.1.owinge1.ementsarenecessarytoconveySBoMinformation.SBoMe1.ementsarebrokenintothreecoreareas:metadata,identifiers,andassociation.Metadatae1.ementsprovideinformationabouttheSBoMitse1.fandshou1.dnotbeusedasidentifiersoftheSBoMsubjectorcomponents.Minimummetadatae1.ementsinc1.udeAuthor,Timestam
30、p,and1.ifecyc1.e.Identifiere1.ementsprovideinformationconcerningtheSBoMsubjectanditscomponents.Itispossib1.ethatsingu1.aridentifyinge1.ementsarenotsufficienttounique1.yidentifyagivencomponenteUWW.fMriZatonscofiftfi三Y1.bntincrSjMd1.tiNd1.Hqifehtin1.MWWFjrtfAh睁宙舶1.用MhanCCandvu1.nerabi1.itydiscovery,ho
31、weverthisisoutofthescopeofthisannex.Identifiere1.ementsinc1.udeSupp1.ier,Component,Version,Hash,andUID.A三侬由他曲拈视也州桃口温版箔制G蝴b。Utasent1.fi三阳泡n1.w山rc1.at由revea?H版於ConS1.r能由Ihergivensoftwaresubjectandarediscouragedfromuseasameansofreverseengineeringasthiscan皆四X1.iorrcontract*oaons.Associatione1.ementsinc1
32、udeRe1.ationshipandSource.TheauthoristheentitywhocreatestheSBoM.Theauthorisoften,butnotnecessari1.y,thesupp1.ierofeffi6mnoiwigRKie11ti(HJ!dHqrnoftMEM三p1.i!fJthcaHBJifttbDSBgbfaUr的ftwarusupp1.ieroftheana1.ysedcomponent.8.2.3 TimestampThetimestampisthedateandtimetheSBoMwas1.astmodified.Timestampsshou
33、1.dberepresentedfc2)A1.ing1.ifejfdRf)8601series.旅Iifin&g廊如AIab1.eSoftW国的o1.1.ovWi储iRft胞Rwbui1.d:CanM闸。testing,packagingcompi1.edfi1.esintocompressedformats,andmakingcomponentsavai1.ab1.etousers.The1.ifecyc1.ephasesare:pre-bui1.d:theSBoMwasproducedpriortothebui1.dofthesoftware;bui1.d:theSBoMisabyprod
34、uctandartefactofthebui1.dorcontinuousintegration(CI)process;post-bui1.d:theSBoMwasproducedafterthesoftwarewasbui1.trpossib1.ythroughreverseengineeringorb1.ack-boxana1.ysis.8.2.5 Supp1.iernameThesupp1.ieristheentitywhoprovides(e.g,owns,produces,ormaintains)theprimarycomponentorbbjpthofm由ISBt)MIeThmdi
35、b由川eEigbte1.fcow1.(5nu*bo甲Umm1.3sSB6M“MthpceaMto1.gnmpQ加:【UHnUc4aadQttuMotr蝴ans/gJponentsretrievedfromthePackagemanagerspecification)distributionthecomponentnamecanbeEXAMP1.E1pkg:deb/debian/cur1.750.3-1.?arch=i386&distro=JessieEXAMP1.E2pkR:docker/cassandrasha256:244fd47e07d!004f0aed9cEXAMP1.E3pkg:ge
36、m/jruby-1.auncher1.1.2?p1.atfonn=javaEXAMP1.E4pkg:maven/orgpache.xm1.graphics/batik-anim1.9.1Tpackaging=sourcesEXAMP1.E5pkg:npm/%40angu1.ar/animation12.3.1EXAMP1.E6pkg:nuget/EnteT)rise1.ibrary.Common6.0.1304EXAMP1.E7pkg:pypi/dJango(S1.11,1EXAMP1.E8pkc:rpm/fedora/cur1.7.50.3-1.fc25?arch=i386&distro=f
37、edora-258.2.7 VersionTheversionofacomponentshou1.dbeexpressedassemanticversioningwhenavai1.ab1.e.8.2.8 CryptographichashAcryptographichashofacomponent(asdefinedbytheSBoMauthororsupp1.ier)isanintrinsic城ent*t赃汕eSBoMpnEmn%u$1.WbC(SIem壮加6tjk厢MrffidgtthiM刖曲gsmwntbdMwdhjriheeMehashes,attheincreasedcostsas
38、sociatedwithidentityandkeymanagement.Ifacomponenthasbeenmodifiedfromitsorigina1.source,authorsshou1.dinc1.udeboththehashofthesourcecomponentandthemodifiedcomponent.8.2.9 UniqueidentifierA阳根祖转曲钳肝金魄忸Ift用t杀晒断则股印8帆Iier掷印机跖曲用郴“叩uniqueidentiers.8.2.10 Re1.ationshipRe1.ationshipsbetweencomponentsarenecessa
39、rytodeterminepathtraversa1.,comp1.exityinnuosundinggertbdvtttii(bet1.t.ofaSfipi)itdVtihatoeyMpNunddcpt0WonentcX蝌片即tionsh用出时效0翎即MfKns伸t帽森制,f部加先ar就Aofcompi1.ingandbui1.dingSoftWarechangesthesoftwarebutsti1.1.maintainsheritage.nexamp1.eofthistypeofre1.ationshipcanbe:componentB(binary)wasgeneratedfromco
40、mponentA(source).311)httpsg1.thubxompackageur1.8.2.11 SourceregardingWhenTimcstanipsShou1.drctneva1.reprcsen1.edaccordingtodependingseries.mannerinwhichitEXAMPLE 1EXAMPLE 2definedcomponentsprovidedre1.ationshipsecond-partyorcontractedfordeve1.opmentprotccted*partyaccordanceEXAMPLE 3Who1.1.ycomponent
41、sthemse1.vesarenotsuppiierthemse1.vesasinterna1.,non-pub1.iccomponentsand2ndcreatedEXAMPLE 4B.3Essentia1.SBoMprocesses8.3.1 Overviewa) supp1.iersdefiningtheircomponentsanddocumentingdirectupstreamdependencies;Non-Supp1.ierauthoritativeinformationdefineaboutcomponentscomponents,products,systems,prefe
42、rredthatsupp1.iersSupp1.ierspub1.ishedordistributedprivate1.y.potentia1.suggestedCustonicrsorganizations,ofprocurement.SBoMsretrievethecorrespondingkey.Sourceisthe1.ocationthatthecomponentwasretrievedfrom.Itcana1.sore1.ayadditiona1.detai1.swasretrieved,andwherethebefromsourceOccurredtheISO8601ontheF
43、orcomponentsretrievedthroughgitorabrowserthebranch(ifapp1.icab1.e)andUR1.shou1.dbe1.isted.Theexamp1.esfo1.1.owSPDXformat.Sourceinfo:usesg1.ibc-2.11-branchfromgitsourceware.orggitg1.ibcitat2021-08-03T17:43:4100:00componentsretrievedthroughbepackagemanagerorpackagedistribution,thepackagemanagerorSourcc1.nfo:cassandrasha256:244fd47c07d1.004f0acd9cfromdockcr20.10.7at2021-08-O3T17:43:41400:00Foras1.1.icsourceifthethroughisdeemedsensitive,becitedastheinshou1.dbesvithC1.ause5.8m)of!SOIEC270363regardinganonymousacquisition.Sourcc1.nfo:jruby1.aunchcrfromprotectedat2021.-08-03