A “software bill of materials” (SBOM) has emerged as a key building block in software security and software supply chain risk management. A SBOM is a nested inventory, a list of ingredients that make up software components. The SBOM work has advanced since 2018 as a collaborative community effort, driven by NTIA’s multistakeholder process.
CISA will advance the SBOM work by facilitating community engagement, development, and progress, with a focus on scaling and operationalization, as well as tools, new technologies, and new use cases. This website will also be a nexus for the broader set of SBOM resources across the digital ecosystem and around the world.
An SBOM-related concept is the Vulnerability Exploitability eXchange (VEX). A VEX document is an attestation, a form of a security advisory that indicates whether a product or products are affected by a known vulnerability or vulnerabilities. For more information on how to receive updates or join in on the efforts around VEX, please contact SBOM@cisa.dhs.gov.
For a recap of the CISA SBOM-a-rama, held on December 15 & 16, 2021, and to view the recordings of the event, please visit the CISA SBOM-a-rama page.
For information about the “NTIA Consensus” defining and implementing SBOM, drafted by stakeholders, see the resources at ntia.gov/sbom.
Vulnerability Exploitability eXchange (VEX) Use Case Document (April 2022)
This resource provides the recommended minimum data elements of a VEX document and offers a set of scenarios with proposed implementations. This document was drafted by stakeholders through an open and transparent, community-led process.
For any questions or to receive updates on CISA’s SBOM work, please contact SBOM@cisa.dhs.gov.