Software Bill of Materials

A “software bill of materials” (SBOM) has emerged as a key building block in software security and software supply chain risk management. A SBOM is a nested inventory, a list of ingredients that make up software components.  The SBOM work has advanced since 2018 as a collaborative community effort, driven by NTIA’s multistakeholder process

CISA will advance the SBOM work by facilitating community engagement, development, and progress, with a focus on scaling and operationalization, as well as tools, new technologies, and new use cases. This website will also be a nexus for the broader set of SBOM resources across the digital ecosystem and around the world.

An SBOM-related concept is the Vulnerability Exploitability eXchange (VEX).  A VEX document is an attestation, a form of a security advisory that indicates whether a product or products are affected by a known vulnerability or vulnerabilities. For more information on how to receive updates or join in on the efforts around VEX, please contact


For a recap of the CISA SBOM-a-rama, held on December 15 & 16, 2021, and to view the recordings of the event, please visit the CISA SBOM-a-rama page.


For information about the “NTIA Consensus” defining and implementing SBOM, drafted by stakeholders, see the resources at

The “Minimum Elements” defined under Executive Order 14028 are available at the NTIA SBOM Publications page. 

Vulnerability Exploitability eXchange (VEX) Use Case Document (April 2022)  
This resource provides the recommended minimum data elements of a VEX document and offers a set of scenarios with proposed implementations. This document was drafted by stakeholders through an open and transparent, community-led process. 

More information

For any questions or to receive updates on CISA’s SBOM work, please contact

Was this webpage helpful?  Yes  |  Somewhat  |  No