Software Bill of Materials (SBOM)
A “software bill of materials” (SBOM) has emerged as a key building block in software security and software supply chain risk management. An SBOM is a nested inventory, a list of ingredients that make up software components. While not a brand new concept, the ideas and implementation have advanced since 2018 through a number of collaborative community effort, including National Telecommunications and Information Administration’s (NTIA) multistakeholder process.
CISA is advancing the SBOM adoption and practices by facilitating community-led work, with a focus on scaling and operationalization, as well as tools, new technologies, and new use cases. This website will also be a nexus for the broader set of SBOM resources across the digital ecosystem and around the world.
An SBOM-related concept is the Vulnerability Exploitability eXchange (VEX). A VEX document is an attestation, a form of a security advisory that indicates whether a product or products are affected by a known vulnerability or vulnerabilities.
CISA also advances the SBOM work by facilitating community engagement to advance and refine SBOM, coordinating with international, industry, inter-agency partners on SBOM implementation, and promoting SBOM as a transparency tool across the broader software ecosystem, the U.S. government, and the world. If you have any questions, please reach out to us at SBOM@cisa.dhs.gov
What's New in SBOM
Event: SBOM-a-Rama September 2024
View information about the upcoming SBOM-a-Rama September 11-12, 2024.
SBOM Sharing Roles and Considerations
Building on the SBOM Sharing Lifecycle Report, this document defines the three roles (SBOM Author, SBOM Consumer, and SBOM Distributor) of the SBOM sharing lifecycle and the factors they should keep in mind or be aware of when engaging in the three p
Past Event: SBOM-a-Rama February 2024
View information about the SBOM-a-Rama held on February 29, 2024.
Assembling a Group of Products
Software producers, such as product manufacturers and integrators, often need to assemble and test a set of products together before delivering to their customers. This set of products may contain components that undergo version changes over time and
When to Issue VEX Information
This document seeks to explain the circumstances and events that could lead an entity to issue Vulnerability Exploitability eXchange (VEX) information and describes the entities that create or consume VEX information. Whether, and when, to issue VEX
SBOM Resources Library
CISA advances the SBOM work by facilitating community engagement to advance and refine SBOM, coordinating with international, industry, inter-agency partners on SBOM implementation, and promoting SBOM as a transparency tool across the broader software ecosystem, the U.S. government, and the world.
More Information
For any questions or to receive updates on CISA’s SBOM work, please email SBOM@cisa.dhs.gov.