The Software Bill of Materials (SBOM)

A Software Bill of Materials (SBOM) is a formal and query-able record containing the details and relationships of various open-source, third-party, or commercial components used in building software.

Minimum SBOM Content Requirements

As specified in The Minimum Elements For a Software Bill of Materials (SBOM) issued by the United States Department of Commerce, the SBOM should contain the following data elements at a minimum:

•

Component supplier

•

Component name and version

•

Other unique identifiers

•

Dependency relationship

•

SBOM author

•

Timestamp

SBOM Formats

Standard SBOM formats are now available for communicating SBOM information to meet the government requirements.

•

SPDX (Software Package Data Exchange) is an open standard for communicating Software Bill of Materials (SBOM) information

•

CycloneDX is a lightweight Software Bill of Materials (SBOM) standard designed for use in application security contexts and supply chain component analysis

•

SWID (Software Identification Tagging) provides a transparent way for organizations to track the software installed on their managed devices