search menu icon-carat-right cmu-wordmark

Leveraging Software Bill of Materials Practices for Risk Reduction

In this webcast, Charles Wallen, Carol Woody, and Michael Bandor discuss how organizations can connect Software Bill of Materials (SBOM) to acquisition and development.

Software Engineering Institute



A Software Bill of Materials (SBOM) is a comprehensive list of software components involved in the development of a software product. While recently gaining attention in the context of security, SBOMs have limited value unless properly integrated into effective cyber risk management processes and practices. The SEI SBOM Framework compiles a set of leading practices for building an SBOM and using it to support risk reduction.

The SEI SBOM Framework provides a roadmap for managing vulnerabilities and risks in third-party software, including commercial-off-the-shelf (COTS) software, government-off-the-shelf (GOTS) software, and open-source software (OSS). A set of use cases informed the identification of SBOM practices, including building an SBOM and using it to manage risks to software intensive systems. These foundational practices were augmented using key security management concepts, such as the need to address requirements, planning and preparation, infrastructure, and organizational support. In this webcast, Charles Wallen, Carol Woody, and Michael Bandor discuss how organizations can connect SBOMs to acquisition and development to support improved system and software assurance.

Attendees will learn how to:

  • Leverage acquisition and engineering leading practices to inform SBOM program design
  • Use SBOM methods for managing system risk
  • Establish and manage an effective SBOM program
  • Manage leading practice considerations for SBOMs
  • Leverage SBOMs and their data for risk reduction—visualizing unknowns

About the Speaker

Headshot of Carol Woody.

Carol Woody

Dr. Carol Woody has been a senior member of the technical staff since 2001. Currently she is the technical manager for the Cyber Security Engineering (CSE) team, whose research focuses on meeting the challenges of cyber security in acquisition, system and software engineering.  CSE is building capabilities in defining, acquiring, …

Read more
Headshot of Charles Wallen

Charles M. Wallen

Charles M. Wallen has been a thought leader in operations and IT risk management for over 20 years. He has provided consulting to public and private organizations, led industry-wide initiatives, and managed global operations risk management and governance programs at American Express and Bank of America.  

Charles works closely with …

Read more