Software Bill of Materials (SBOM)
A “software bill of materials” (SBOM) has emerged as a key building block in software security and software supply chain risk management. An SBOM is a nested inventory, a list of ingredients that make up software components. While not a brand new concept, the ideas and implementation have advanced since 2018 through a number of collaborative community effort, including National Telecommunications and Information Administration’s (NTIA) multistakeholder process.
CISA is advancing the SBOM adoption and practices by facilitating community-led work, with a focus on scaling and operationalization, as well as tools, new technologies, and new use cases. This website will also be a nexus for the broader set of SBOM resources across the digital ecosystem and around the world.
An SBOM-related concept is the Vulnerability Exploitability eXchange (VEX). A VEX document is an attestation, a form of a security advisory that indicates whether a product or products are affected by a known vulnerability or vulnerabilities.
CISA also advances the SBOM work by facilitating community engagement to advance and refine SBOM, coordinating with international, industry, inter-agency partners on SBOM implementation, and promoting SBOM as a transparency tool across the broader software ecosystem, the U.S. government, and the world. If you have any questions, please reach out to us at SBOM@cisa.dhs.gov
What's New in SBOM
Framing Software Component Transparency (2024)
This document, further defines and clarifies SBOM Attributes from the 2021 Framing Software Component Transparency document, offering descriptions of the minimum expected, recommended practices, and aspirational goal for each Attribute.
SBOM FAQ
This guide provides information on the benefits of SBOM, common misconceptions and concerns, creation of an SBOM, distributing and sharing an SBOM, and role specific guidance.
Past Event: SBOM-a-Rama September 2024
View information about the upcoming SBOM-a-Rama September 11-12, 2024.
Software Transparency in SaaS Environments
Acknowledging key differences between SaaS and non-SaaS software, this paper discusses the value of SBOM-driven transparency for SaaS and offers recommendations for advancing transparency in SaaS software.
SBOM Sharing Primer
This document provides examples of how software bill of materials (SBOM) can be shared between different actors across the software supply chain. The examples demonstrate SBOM sharing methods currently in use, ranging from proprietary software vendor
SBOM Sharing Roles and Considerations
Building on the SBOM Sharing Lifecycle Report, this document defines the three roles (SBOM Author, SBOM Consumer, and SBOM Distributor) of the SBOM sharing lifecycle and the factors they should keep in mind or be aware of when engaging in the three p
Assembling a Group of Products
Software producers, such as product manufacturers and integrators, often need to assemble and test a set of products together before delivering to their customers. This set of products may contain components that undergo version changes over time and
When to Issue VEX Information
This document seeks to explain the circumstances and events that could lead an entity to issue Vulnerability Exploitability eXchange (VEX) information and describes the entities that create or consume VEX information. Whether, and when, to issue VEX
About the CISA SBOM Community
CISA facilitates a weekly open meeting for experts and practitioners from across the software community to discuss SBOM-related topics. In addition to the community meeting, members of the CISA SBOM community lead and participate in tiger teams focused on a specific SBOM-related topic and publish guidance to support the larger software community in the adoption and implementation of SBOM. This community-driven work builds on the NTIA Multistakeholder Process on Software Component Transparency and the previous CISA SBOM working groups. These documents are not drafted by CISA, but rather by the SBOM community. Learn more.
To join the SBOM Community Meeting email SBOM@cisa.dhs.gov.
SBOM Resources Library
CISA advances the SBOM work by facilitating community engagement to advance and refine SBOM, coordinating with international, industry, inter-agency partners on SBOM implementation, and promoting SBOM as a transparency tool across the broader software ecosystem, the U.S. government, and the world.
More Information
For any questions or to receive updates on CISA’s SBOM work, please email SBOM@cisa.dhs.gov.