A “software bill of materials” (SBOM) has emerged as a key building block in software security and software supply chain risk management. A SBOM is a nested inventory, a list of ingredients that make up software components. The SBOM work has advanced since 2018 as a collaborative community effort, driven by National Telecommunications and Information Administration’s (NTIA) multistakeholder process.
CISA will advance the SBOM work by facilitating community engagement, development, and progress, with a focus on scaling and operationalization, as well as tools, new technologies, and new use cases. This website will also be a nexus for the broader set of SBOM resources across the digital ecosystem and around the world.
An SBOM-related concept is the Vulnerability Exploitability eXchange (VEX). A VEX document is an attestation, a form of a security advisory that indicates whether a product or products are affected by a known vulnerability or vulnerabilities. For more information on how to receive updates or join in on the efforts around VEX, please contact SBOM@cisa.dhs.gov.
Upcoming SBOM events
CISA recognizes the importance of SBOMs in transparency and security, and that SBOM evolution and refinement should come from the community.
To launch this community work, CISA is facilitating listening sessions around SBOM, which are intended to advance the software and security communities’ understanding of SBOM creation, use, and implementation across the broader technology ecosystem.
CISA will act as a facilitator and participants will drive the outcomes, including any specific issues of focus or next steps.* If participants wish to schedule regular meetings or build communication channels, CISA will assist, to the extent possible, in facilitating effective and constructive collaboration.
More information can be found in the Federal Register Notice. Updates will be posted at cisa.gov/SBOM.
CISA has identified the following topics in the field of SBOM and related cybersecurity topics, representing a set of open topics identified as being priorities by the community.
Meetings are scheduled as below. We are scheduling two sessions to accommodate a diversity of global schedules. We do not assume that anyone will attend both sessions on a given topic.
Upcoming Listening Sessions:
- Cloud & Online-Applications Session 1: July 12, 2022 from 9:30 a.m. to 11 a.m., EDT
- Teams Link: Cloud & On-line Applications Session 1 Teams Link
Dial-In Information (audio only): +1 202-516-6093, Phone Conference ID: 578862466#
- Teams Link: Cloud & On-line Applications Session 1 Teams Link
- Sharing & Exchanging SBOMs Session 1: July 12, 2022 from 3:00 p.m. to 4:30 p.m., EDT
- Teams Link: Sharing & Exchanging Session 1 Teams Link
Dial-In Information (audio only): +1 202-516-6093, Phone Conference ID: 381092068#
- Teams Link: Sharing & Exchanging Session 1 Teams Link
- On-Ramps & Adoption Session 1: July 13, 2022 from 9:30 a.m. to 11 a.m., EDT
- Teams Link: On-ramps and Adoption Session 1 Teams Link
Dial-In Information (audio only): +1 202-516-6093, Phone Conference ID: 437476093#
- Teams Link: On-ramps and Adoption Session 1 Teams Link
- Tools & Implementation Session 1: July 13, 2022 from 3:00 p.m. to 4:30 p.m., EDT
- Teams Link: Tools & Implementation Session 1 Teams Link
Dial-In Information (audio only): +1 202-516-6093, Phone Conference ID: 209128397#
- Teams Link: Tools & Implementation Session 1 Teams Link
- Sharing & Exchanging SBOMs Session 2: July 14, 2022 from 9:30 a.m. to 11 a.m., EDT
- Teams Link: Sharing & Exchanging Session 2 Teams Link
Dial-In Information (audio only): +1 202-516-6093, Phone Conference ID: 153239469#
- Teams Link: Sharing & Exchanging Session 2 Teams Link
- On-Ramps & Adoption Session 2: July 14, 2022 from 3:00 p.m. to 4:30 p.m., EDT
- Teams Link: On-ramps and Adoption Session 2 Teams Link
Dial-In Information (audio only): +1 202-516-6093, Phone Conference ID: 308331635#
- Teams Link: On-ramps and Adoption Session 2 Teams Link
- Cloud & Online Applications Session 2: July 20, 2022 from 3:00 p.m. to 4:30 p.m., EDT
- Teams Link: Cloud & On-line Applications Session 2 Teams Link
Dial-In Information (audio only): +1 202-516-6093, Phone Conference ID: 62590541#
- Teams Link: Cloud & On-line Applications Session 2 Teams Link
- Tools & Implementation Session 2: July 21, 2022 from 9:30 a.m. to 11 a.m., EDT
- Teams Link: Tools & Implementation Session 2 Teams Link
Dial-In Information (audio only): +1 202-516-6093, Phone Conference ID: 857013598#
- Teams Link: Tools & Implementation Session 2 Teams Link
*Note: CISA will not be seeking any group consensus advice and/or input from the listening sessions.
Past SBOM Events
For a recap of the CISA SBOM-a-rama, held on December 15 & 16, 2021, and to view the recordings of the event, please visit the CISA SBOM-a-rama Page.
Resources
For information about the “NTIA Consensus” defining and implementing SBOM, drafted by stakeholders, see the resources at ntia.gov/sbom.
The “Minimum Elements” defined under Executive Order 14028 are available at the NTIA SBOM Publications page.
Vulnerability Exploitability eXchange (VEX) Use Case Document (April 2022)
This resource provides the recommended minimum data elements of a VEX document and offers a set of scenarios with proposed implementations. This document was drafted by stakeholders through an open and transparent, community-led process.
Vulnerability Exploitability eXchange (VEX) Status Justification Document (June 2022)
This resource provides the recommended NOT AFFECTED status justifications of a VEX document and offers the reader examples of when the different status justifications might be used. VEX documents may contain a justification statement of why the VEX document creator chose to assert that the product’s status is NOT AFFECTED. This document was drafted by stakeholders through an open and transparent, community-led process
More information
For any questions or to receive updates on CISA’s SBOM work, please contact SBOM@cisa.dhs.gov.