A colorful cyber wave

Software Bill of Materials (SBOM)

A “software bill of materials” (SBOM) has emerged as a key building block in software security and software supply chain risk management. A SBOM is a nested inventory, a list of ingredients that make up software components.  The SBOM work has advanced since 2018 as a collaborative community effort, driven by National Telecommunications and Information Administration’s (NTIA) multistakeholder process

CISA will advance the SBOM work by facilitating community engagement, development, and progress, with a focus on scaling and operationalization, as well as tools, new technologies, and new use cases. This website will also be a nexus for the broader set of SBOM resources across the digital ecosystem and around the world.

An SBOM-related concept is the Vulnerability Exploitability eXchange (VEX).  A VEX document is an attestation, a form of a security advisory that indicates whether a product or products are affected by a known vulnerability or vulnerabilities.

A blue cyber node

    Featured Content

    For information about the “NTIA Consensus” defining and implementing SBOM, drafted by stakeholders, see the resources at  ntia.gov/sbom.

    The “Minimum Elements” defined under Executive Order 14028 are available at the NTIA SBOM Publications page.

    When to Issue VEX Information

    This document seeks to explain the circumstances and events that could lead an entity to issue VEX information and describes the entities that create or consume VEX information.

    Software Identification Ecosystem Analysis

    The paper outlines a collective, community goal for a more harmonized software identification ecosystem that can be used across the complete, global software space for all key cybersecurity use cases.

    2023 SBOM-a-Rama

    This event focused on helping the software and security community understand the current state of SBOM and what efforts have been made by the SBOM community, including CISA-facilitated community-led work and more.

    Types of Software Bill of Materials (SBOM)

    This community-led resource summarizes common types of SBOMs that tools may create in the industry today, along with the data typically presented for each type of SBOM.

    Minimum Requirements for Vulnerability Exploitability eXchange (VEX)

    This community-led resource specifies the minimum elements to create a VEX document, to help harmonize across implementations and accelerate tool creation.

    Software Bill of Materials (SBOM) Sharing Lifecycle Report

    Highlights solutions for sharing SBOMs and assist readers in considering appropriate solutions depending on their needs concerning the discovery, access, and transport of SBOMs.

    Past SBOM Events

    A recap of the 2021 SBOM-a-rama and recordings of the event.

    For summaries from the eight SBOM Listening Sessions held in September 2022, as detailed in the Federal Register Notice, please send a request to SBOM@cisa.dhs.gov.

    Vulnerability Exploitability eXchange (VEX) Use Case Document (April 2022)

    This resource provides the recommended minimum data elements of a VEX document and offers a set of scenarios with proposed implementations.

    Vulnerability Exploitability eXchange (VEX) Status Justification Document (June 2022)

    This resource provides the recommended NOT AFFECTED status justifications of a VEX document and offers the reader examples of when the different status justifications might be used. 

    SBOM Community Legal Explanation

    This document offers additional information regarding community-drafted documents.

    Guidance on Assembling a Group of Products

    This document is a guide for creating the build SBOM for assembled products that may contain components that undergo version changes over time.

    Light blue section divider.

    CISA SBOM-a-Rama

    To support a community effort to advance SBOM technologies, processes, and practices, CISA facilitated the 2023 CISA SBOM-a-Rama. The goal of this meeting was to help the broader software and security community understand the current state of SBOM and what efforts have been made by different parts of the SBOM community, including CISA-facilitated community-led work and other activity from sectors and governments. We had nearly 1,000 attendees combined in-person and virtually. We were blown away by the level of interest and engagement from a host of different perspectives and from leaders around the world. The discussion portion of the program generated a huge range of potential new ideas.

    To view videos and slides of the event’s presentations, visit the SBOM-a-Rama page.

    Light blue section divider.

    CISA SBOM Workstreams

    CISA recognizes the importance of SBOMs in transparency and security, and that SBOM evolution and refinement should come from the community.  To launch this community work, CISA is facilitating four new workstreams around SBOM, which are intended to advance the software and security communities’ understanding of SBOM creation, use, and implementation across the broader technology ecosystem.  CISA will act as a facilitator and participants will drive the outcomes, including any specific issues of focus or next steps.

    • Vulnerability Exploitability eXchange (VEX)
      Meeting Day/Time: Monday 10 AM ET – 11 AM ET (weekly)
      The VEX workstream defines and refines the Vulnerability Exploitability eXchange (VEX) model, which allows attestations on whether a product is affected or not affected by a given vulnerability, and characterizes VEX use cases and operations. 
       
    • Sharing & Exchanging
      Meeting Day/Time: Monday 12 PM ET – 1 PM ET (weekly)
      The Sharing and Exchanging workstream will focus on the topic of moving SBOMs, and related metadata, across the software supply chain. The community will have discussions centered around understanding how to enable discovery and access, while underscoring the importance of solution interoperability.
       
    • On-Ramps & Adoption
      Meeting Day/Time: Tuesday 12 PM ET – 1 PM ET (weekly)
      The On-Ramps and Adoption workstream will focus on promoting education and awareness to help lower the costs and complexities of adoption, allowing newer or less mature organizations to provide, request, and use SBOMs to secure and understand their organization’s risk. The workstream may also define use cases for SBOM, as well as coordinate efforts across all new and existing SBOM-related workstreams to assist in marketing as well as help to avoid substantive overlap.
       
    • Cloud & Online Applications
      Meeting Day/Time: Wednesday 3 PM ET – 4 PM ET (bi-weekly)
      The Cloud and Online Applications workstream will focus on integrating current understanding around SBOM into the context of online applications and modern infrastructure. Most of the existing discussion around SBOM, particularly around SBOM use cases, has focused on on-premise software. Cloud and Software-as-a-Service (SaaS)-based software comprises a large and growing segment of the software ecosystem. It will be important to integrate the current understanding of SBOM with emergent advances in cloud-native technologies to tell better stories about SBOM use cases for cloud and understand how this will be handled across organizational boundaries.
       
    • Tooling & Implementation
      Meeting Day/Time: Thursday 3 PM ET – 4 PM ET (weekly)
      The Tooling and Implementation workstream will focus on opportunities and challenges for automating the SBOM ecosystem. This ecosystem will be driven by a range of accessible and constructive tools and enabling applications, both open source and proprietary. This work will potentially enhance existing SBOM data with further implementation details, encourage interoperability across tools and uses, and foster the advancement and efficiency of the tooling marketplace.

    More Information

    For any questions or to receive updates on CISA’s SBOM work, please email SBOM@cisa.dhs.gov.