Skip to main content
U.S. flag

An official website of the United States government

Here’s how you know

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

HTTPS

Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Free Cyber ServicesSecure by design Secure Our WorldShields UpReport A Cyber Issue

Cybersecurity & Infrastructure Security Agency logo America’s Cyber Security Defense Agency National Coordinator For Critical Infrastructure Security and ResilienceCybersecurity & Infrastructure Security Agency logo America’s Cyber Security Defense Agency National Coordinator For Critical Infrastructure Security and Resilience
CISA Logo

Search

 

America's Cyber Defense Agency
 
  • Topics
    Cybersecurity Best Practices
    Cyber Threats and Advisories
    Critical Infrastructure Security and Resilience
    Election Security
    Emergency Communications
    Industrial Control Systems
    Information and Communications Technology Supply Chain Security
    Partnerships and Collaboration
    Physical Security
    Risk Management
    How can we help?
    GovernmentEducational InstitutionsIndustryState, Local, Tribal, and TerritorialIndividuals and FamiliesSmall and Medium BusinessesFind Help LocallyFaith-Based CommunityExecutivesHigh-Risk Communities
  • Spotlight
  • Resources & Tools
    All Resources & Tools
    Services
    Programs
    Resources
    Training
    Groups
  • News & Events
    News
    Events
    Cybersecurity Alerts & Advisories
    Directives
    Request a CISA Speaker
    Congressional Testimony
    CISA Conferences
    CISA Live!
  • Careers
    Benefits & Perks
    HireVue Applicant Reasonable Accommodations Process
    Hiring
    Resume & Application Tips
    Students & Recent Graduates
    Veteran and Military Spouses
  • About
    Divisions & Offices
    Regions
    Leadership
    Doing Business with CISA
    Site Links
    CISA GitHub
    CISA Central
    Contact Us
    Subscribe
    Transparency and Accountability
    Policies & Plans

Free Cyber ServicesSecure by design Secure Our WorldShields UpReport A Cyber Issue

Breadcrumb
  1. Home
  2. Topics
  3. Cyber Threats and Advisories
  4. Sbom
  5. SBOM Resources Library
Share:

SBOM Resources Library

Related topics:
Cyber Threats and Advisories

As the idea of Software Bill of Materials (SBOM) has grown and matured, guidance has emerged to help clarify concepts, guide implementation, share insights, and address related issues. This site aims to collect guidance documents from a number of sources, including the CISA community-led work publications, the earlier National Telecommunications and Information Administration’s (NTIA) multistakeholder process, guidance from CISA itself and other federal agencies, and other relevant policy documents from governments around the world. 

Introduction to SBOM

These resources may be helpful for a person or organization who is new to SBOM and is looking for more basic information. 

Video: Enhancing Software Security with SBOMs (2024)

This short video from CISA and DHS S&T explains the basic concepts and purpose of SBOM.  

SBOM at a Glance (2021)

This resource provides an introduction to the practice of SBOM, supporting literature, and the pivotal role SBOMs play in providing much-needed transparency for the software supply chain. (Japanese translation)

SBOM Explainer Videos on YouTube (2020-2021)

This collection of videos provides a wide range of information about SBOM including introductory concepts, technical webinars, and proof of concept presentations.

Use Cases: Roles and Benefits for SBOM Across the Supply Chain (2019)

This resource summarizes the use cases and benefits of having an SBOM from the perspective of those who make software, those who choose or buy software, and those who operate it.

Answering Your SBOM Questions

SBOM FAQ (2024)

This guide provides information on the benefits of SBOM, common misconceptions and concerns, creation of an SBOM, distributing and sharing an SBOM, and role specific guidance. Also, the document provides information on SBOM related efforts, such as V

SBOM FAQ (2021)

This document outlines detailed information, benefits, and commonly asked questions. (An update will be available shortly) 

SBOM Myths vs. Facts (2021)

This document is intended to help the reader to understand and dispel common, often sincere myths and misconceptions about SBOM.

Elevator Pitch

This document provides high-level information on SBOM’s background and ecosystem-wide solution, the NTIA process, and an example of an SBOM.

SBOM Two-Page Overview (2020)

Implementing SBOM

These resources offer practical guidance for incorporating SBOM into an organization’s software security practices. 

Framing Software Component Transparency (2024)

This document, further defines and clarifies SBOM Attributes from the 2021 Framing Software Component Transparency document, offering descriptions of the minimum expected, recommended practices, and aspirational goal for each Attribute.

Software Transparency in SaaS Environments (2024)

Acknowledging key differences between SaaS and non-SaaS software, this paper discusses the value of SBOM-driven transparency for SaaS and offers recommendations for advancing transparency in SaaS software.

Guidance on Assembling a Group of Products (2024)

This document is a guide for creating the build SBOM for assembled products that may contain components that undergo version changes over time.

ESF: Securing the Software Supply Chain: Recommended Practices for Managing Open Source Software and Software Bill of Materials (2024)

This document aligns with industry best practices and principles, including managing open source software and software bills of materials, that software developers and software suppliers can reference. 

Types of Software Bill of Materials (SBOM) (2023)

This community-led resource summarizes common types of SBOMs that tools may create in the industry today, along with the data typically presented for each type of SBOM.

Framing Software Component Transparency: Establishing a Common Software Bill of Materials (SBOM) – (2021)

This resource serves as the detailed foundation of SBOM. It defines SBOM concepts and related terms, offers an updated baseline of how software components are to be represented, and discusses the processes around SBOM creation. (prior 2019 edition)

Survey of Existing SBOM Formats and Standards (2021)

This resource summarizes existing standards, formats, and initiatives as they apply to identifying the external components and shared libraries used in the construction of software products for SBOMs. (prior 2019 edition)

Software Suppliers Playbook: SBOM Production and Provision (2021)

This resource outlines workflows for the production of Software Bills of Materials (SBOM) and their provision by software suppliers.

Software Consumers Playbook: SBOM Acquisition, Management, and Use (2021)

This resource outlines workflows for the acquisition, management, and use of SBOM by software consumers, including commercial and non-commercial entities acquiring third-party software capabilities from a supplier.

How-To Guide for SBOM Generation (2021)

This resource offers instructions and guidance on how to generate an SBOM based on the experiences of the Healthcare Proof-of-Concept working group.

SBOM Tool Classification Taxonomy (2021)

This resource offers a categorization of different types of SBOM tools. It can help tool creators and vendors to easily classify their work, and can help those who need SBOM tools understand what is available.

SBOM Options and Decision Points (2021)

This resource frames the dimensions of SBOM creation and delivery, to support more consistent and effective articulation of needs between requesters and suppliers of SBOMs.   

Sharing SBOMs

These resources offer guidance on how SBOMs can be shared between organizations. 

SBOM Sharing Primer (2024)

This document provides examples of how software bill of materials (SBOM) can be shared between different actors across the software supply chain. 

SBOM Sharing Roles and Considerations (2024)

This document defines the three roles (SBOM Author, SBOM Consumer, and SBOM Distributor) of the SBOM sharing lifecycle and the factors they should keep in mind or be aware of when engaging in the three phases of the sharing lifecycle. 

Software Bill of Materials (SBOM) Sharing Lifecycle Report (2023)

The report enumerates and describes the different parties and phases of the SBOM sharing lifecycle and to assist readers in choosing suitable SBOM sharing solutions. 

Sharing and Exchanging SBOMs (2021)

This resource describes how SBOM data can flow down the supply chain, and provides a small set of SBOM discovery and access options to support flexibility while minimizing the burden of implementation. 

NTIA Minimum Elements (2021)

The Executive Order (14028) on Improving the Nation’s Cybersecurity directed the Department of Commerce, in coordination with the National Telecommunications and Information Administration (NTIA), to publish the “minimum elements” for a Software Bill of Materials (SBOM). This report builds on the work of NTIA’s SBOM multistakeholder process, as well as the responses to a request for comments issued in June 2021, and extensive consultation with other Federal experts.  

An SBOM is a formal record containing the details and supply chain relationships of various components used in building software. In addition to establishing minimum elements, this report defines the scope of how to think about minimum elements, describes SBOM use cases for greater transparency in the software supply chain, and lays out options for future evolution. 

 

NTIA Minimum Elements

Lessons from SBOM Proof of Concept Work

How-To Guide for SBOM Generation in Healthcare (2021)

This resource offers instructions and guidance on how to generate an SBOM based on the experiences of the Healthcare Proof-of-Concept working group.

Healthcare SBOM Proof of Concept – Phase II Summary (2021)

Phase II confirmed the value of providing SBOM information, proving the viability of the baseline elements, expanding use cases and participants, developing a how-to guide, and exploring the use of VEX.

Healthcare Proof of Concept Report (2019)

This resource documents the successful execution and lessons learned of a proof-of-concept exercise led by medical device manufacturers (MDMs) and healthcare delivery organizations (HDOs). 

Software Identification

Software Identification Ecosystem Option Analysis (2023)

The paper outlines a collective, community goal for a more harmonized software identification ecosystem that can be used across the complete, global software space for all key cybersecurity use cases.

Software Identity: Challenges and Guidance (2021)

This resource reviews the challenges of identifying software components for SBOM implementation with sufficient discoverability and uniqueness.

VEX

Vulnerability-Exploitability eXchange (VEX) - An Overview (2021)

This resource offers a brief introduction to VEX, which allows a software supplier to clarify whether a specific vulnerability actually affects a product.

When to Issue VEX Information (2023)

This document seeks to explain the circumstances and events that could lead an entity to issue VEX information and describes the entities that create or consume VEX information.

Minimum Requirements for Vulnerability Exploitability eXchange (VEX) (2023)

This community-led resource specifies the minimum elements to create a VEX document, to help harmonize across implementations and accelerate tool creation.

Vulnerability Exploitability eXchange (VEX) Status Justification Document (2022)

This resource provides the recommended NOT AFFECTED status justifications of a VEX document and offers the reader examples of when the different status justifications might be used.

Vulnerability Exploitability eXchange (VEX) Use Case Document (2022)

This resource provides the recommended minimum data elements of a VEX document and offers a set of scenarios with proposed implementations.

Relevant Policy Documents from the United States

While not an exhaustive list, these resources are some of the policy documents related to SBOM in the United States.


 

Secure Software Development Framework (SSDF) Version 1.1 (SP 800-218)

The Secure Software Development Framework (SSDF) is a set of fundamental, sound, and secure software development practices.

Minimum Elements for a Software Bill of Materials (2021)

The Executive Order (14028) on Improving the Nation’s Cybersecurity directs the Department of Commerce, in coordination with the NTIA to publish the “minimum elements” for a Software Bill of Materials.

Relevant Policy Documents Around the World

While not an exhaustive list, these resources are some of the policy documents related to SBOM around the world

Technical Guideline TR-03183: Cyber Resilience Requirements for Manufacturers and Products (Germany, 2023)

This Technical Guideline published by the German Federal Office for Information Security (BSI) describes the requirements for a “Software Bill of Materials (SBOM)”

Cyber Resilience Act (European Union, proposed 2023)

The proposed EU Cyber Resilience Act includes a framework of cybersecurity requirements governing the planning, design, development and maintenance of products.

A Guide to Implementing the Software Bill of Materials (SBOM) for Software Management (Japan, 2023)

Published by the Japan Ministry of Economy, Trade, and Industry (METI), this document offers guidance on implementing SBOM.

Using Software Bill of Materials for Enhancing Cybersecurity (Netherlands, 2021)

This report from the Netherlands National Cyber Security Centre (NCSC) captures the state of the SBOM landscape and the potential purposes and uses of SBOM in a cybersecurity context.

Managing Vulnerabilities with SBOM (Finland, 2021)

The Finland National Cyber Security Centre recommends the adoption of a Software Bill of Materials (SBOM) to all software owners.

Additional Resources

Software Bill of Materials Related Efforts (2021)

A collection of initiatives, guidance, models, frameworks, and reports that explicitly or implicitly highlight the value of SBOM.

ESF: Securing the Software Supply Chain: Recommended Practices for Software Bill of Materials Consumption (2023)

This document will provide guidance in line with industry best practices and principles which software developers and software suppliers are encouraged to reference. 

Past Events

Past Event: SBOM-a-Rama February 2024

View information about the SBOM-a-Rama held on February 29, 2024. 

Return to top
  • Topics
  • Spotlight
  • Resources & Tools
  • News & Events
  • Careers
  • About
Cybersecurity & Infrastructure Security Agency
  • Facebook
  • X
  • LinkedIn
  • YouTube
  • Instagram
  • RSS
CISA Central 1-844-Say-CISA SayCISA@cisa.dhs.gov
DHS Seal
CISA.gov
An official website of the U.S. Department of Homeland Security
  • About CISA
  • Budget and Performance
  • DHS.gov
  • FOIA Requests
  • No FEAR Act
  • Office of Inspector General
  • Privacy Policy
  • Subscribe
  • The White House
  • USA.gov
  • Website Feedback