d . One or more components that are more than two years 27 behind the current version ;
e . One or more open source components that have not been updated or patched for six months 28 or more ;
f . No CPE name registered for the product in the NVD ; or
g . Open source components that appear to have had a single maintainer 29 for one year 30 or more .
An SBOM for an IoT or IIoT device differs in important ways from an SBOM for a “ user-managed ” software product . This is because the device user does not have a direct relationship with the suppliers of the software and firmware products installed in the device ; the user ’ s only direct relationship is with the device manufacturer . The user must rely on the manufacturer to track and manage vulnerabilities in device software , as well as apply patches developed by the suppliers of the software products installed in the device .
Because of this , the manufacturer cannot take a “ hands-off ” relationship with their customers ; they must take primary responsibility for software vulnerability management and patching . Most importantly , the manufacturer needs to :
1 . Provide a complete software bill of materials for the device to their customers , which is updated whenever the manufacturer updates any of the software in the device ; and
2 . Register the device in the National Vulnerability Database and report vulnerabilities ( CVEs ) identified in software and firmware products installed in the device as vulnerabilities in the device itself . This allows a device user to track device vulnerabilities and make sure they are properly addressed , through patching or other means .
The views expressed in the IIC Journal of Innovation are the author ’ s views and do not necessarily represent the views of their respective employers nor those of the Industry IoT Consortium ®.
27
The exact number of years or months can be negotiated . In some cases , it may be preferable for the customer not to require an upgrade after a certain period of time , but instead set out certain criteria for upgrading , such as a serious unpatched vulnerability .
28
The exact time period can be negotiated between the device customer and the device manufacturer .
29
30
The exact time period can be negotiated between the device customer and the device manufacturer . Journal of Innovation 81