Software Engineering Institute

SBOMs are becoming crucial in managing software and systems risk and resilience. There are multiple efforts underway to expand the use of SBOMs. One driving factor is the reference to SBOMs in EO 14028. More importantly, there is wide and growing recognition that the risks posed by a lack of transparency in software must be addressed to help ensure security and promote resilience in systems.

The practices and processes outlined in this SBOM Framework can provide a starting point to build that structure for SBOM efforts. The SBOM Framework addresses the establishment of processes to manage multiple SBOMs and the vast data that they can provide; however, those processes will likely require further tuning as pilot-related activities provide input about improvements and tooling.

This SBOM Framework can help promote the use of SBOMs and establish a more comprehensive set of practices and processes that organizations can leverage as they build their programs.