Acquisition Security Framework (ASF): Informing Software Bill of Materials (SBOM) Use Cases and Risk Reduction
Software Bill of Materials (SBOM) is gaining attention recently. By itself, an SBOM has limited value, but there is great potential if properly integrated into effective cyber risk management processes and practices. The SEI SBOM Framework compiles a set of leading practices for building an SBOM and uses it to support risk reduction. It provides a roadmap for managing vulnerabilities and risks in third-party software, including commercial-of-the-shelf (COTS) software, government-of-the-shelf (GOTS) software, and open source software (OSS). A set of use cases informed the foundation for identifying SBOM practices, including building an SBOM and using it to manage risks to software-intensive systems. Those foundational practices were augmented using key security management concepts, such as the need to address requirements, planning and preparation, infrastructure, and organizational support.