Data Normalization Challenges in SBOM Processing

This white paper addresses the challenges of data normalization in the Software Bill of Materials (SBOM) processing, specifically for medical device manufacturers. It outlines the importance of SBOMs in software security and supply chain risk management, describing them as essential tools for identifying software components and their relationships. The document discusses both non-technical and technical challenges associated with SBOM generation, including issues related to obtaining SBOMs from third-party components and the complexities of maintaining them throughout the software lifecycle. It highlights the need for standardization in nomenclature and formats to ensure consistency in data from various sources. The paper also reviews initiatives by the National Telecommunications and Infrastructure Administration (NTIA) and the Cybersecurity and Infrastructure Security Agency (CISA) aimed at defining and promoting SBOMs. Furthermore, it presents potential mitigations for the identified challenges, emphasizing the role of automation and the importance of effective tools in the SBOM generation process.