On the flip side of software suppliers are software consumers. These consumers are trying to make sense of the array of guidance, best practices, and requirements that are emerging and inevitably involved in the push-and-pull dynamic of the relationship between suppliers and consumers. Each have different perspectives, incentives, and goals as well and potentially differing regulatory requirements. While some software consumers may be large enterprise environments with robust cybersecurity staff and expertise, this isn't always the case, as many consumers are small and mid-sized businesses (SMBs) with limited to no internal cybersecurity expertise and resources. These smaller organizations often must rely on outside managed service providers and partners, and simply prioritize activities that are realistic based on their resources when it comes to secure software consumption. In this chapter, we discuss some practical guidance for consumers, building on many of the recommendations made in Chapter 7, “Existing and Emerging Commercial Guidance,” and Chapter 8, “Existing and Emerging Government Guidance.”

Thinking Broad and Deep

While this chapter on guidance for consumers includes discussions and recommendations associated with software bills of materials (SBOMs), we want to emphasize that the SBOM is merely one emerging tool and resource in the broader discussion of software supply chain security. However, given its heavy focus in ...