SBOM Resources Library

This short video from CISA and DHS S&T explains the basic concepts and purpose of SBOM.  

This resource provides an introduction to the practice of SBOM, supporting literature, and the pivotal role SBOMs play in providing much-needed transparency for the software supply chain. (Japanese translation)

This collection of videos provides a wide range of information about SBOM including introductory concepts, technical webinars, and proof of concept presentations.

This resource summarizes the use cases and benefits of having an SBOM from the perspective of those who make software, those who choose or buy software, and those who operate it.

This guide provides information on the benefits of SBOM, common misconceptions and concerns, creation of an SBOM, distributing and sharing an SBOM, and role specific guidance. Also, the document provides information on SBOM related efforts, such as V

This document outlines detailed information, benefits, and commonly asked questions. (An update will be available shortly) 

This document is intended to help the reader to understand and dispel common, often sincere myths and misconceptions about SBOM.

Acknowledging key differences between SaaS and non-SaaS software, this paper discusses the value of SBOM-driven transparency for SaaS and offers recommendations for advancing transparency in SaaS software.

This document is a guide for creating the build SBOM for assembled products that may contain components that undergo version changes over time.

This document aligns with industry best practices and principles, including managing open source software and software bills of materials, that software developers and software suppliers can reference. 

This community-led resource summarizes common types of SBOMs that tools may create in the industry today, along with the data typically presented for each type of SBOM.

This resource serves as the detailed foundation of SBOM. It defines SBOM concepts and related terms, offers an updated baseline of how software components are to be represented, and discusses the processes around SBOM creation. (prior 2019 edition)

This resource summarizes existing standards, formats, and initiatives as they apply to identifying the external components and shared libraries used in the construction of software products for SBOMs. (prior 2019 edition)

This resource outlines workflows for the production of Software Bills of Materials (SBOM) and their provision by software suppliers.

This resource outlines workflows for the acquisition, management, and use of SBOM by software consumers, including commercial and non-commercial entities acquiring third-party software capabilities from a supplier.

This resource offers instructions and guidance on how to generate an SBOM based on the experiences of the Healthcare Proof-of-Concept working group.

This resource offers a categorization of different types of SBOM tools. It can help tool creators and vendors to easily classify their work, and can help those who need SBOM tools understand what is available.

This resource frames the dimensions of SBOM creation and delivery, to support more consistent and effective articulation of needs between requesters and suppliers of SBOMs.   

This resource offers instructions and guidance on how to generate an SBOM based on the experiences of the Healthcare Proof-of-Concept working group.

Phase II confirmed the value of providing SBOM information, proving the viability of the baseline elements, expanding use cases and participants, developing a how-to guide, and exploring the use of VEX.

This resource documents the successful execution and lessons learned of a proof-of-concept exercise led by medical device manufacturers (MDMs) and healthcare delivery organizations (HDOs). 

The paper outlines a collective, community goal for a more harmonized software identification ecosystem that can be used across the complete, global software space for all key cybersecurity use cases.

This resource reviews the challenges of identifying software components for SBOM implementation with sufficient discoverability and uniqueness.

This resource offers a brief introduction to VEX, which allows a software supplier to clarify whether a specific vulnerability actually affects a product.

This document seeks to explain the circumstances and events that could lead an entity to issue VEX information and describes the entities that create or consume VEX information.

This community-led resource specifies the minimum elements to create a VEX document, to help harmonize across implementations and accelerate tool creation.

This resource provides the recommended NOT AFFECTED status justifications of a VEX document and offers the reader examples of when the different status justifications might be used.

This resource provides the recommended minimum data elements of a VEX document and offers a set of scenarios with proposed implementations.