search menu icon-carat-right cmu-wordmark

Software Bill of Materials Framework: Leveraging SBOMs for Risk Reduction

White Paper
This paper is a Software Bill of Materials (SBOM) Framework that is a starting point for expanding the use of SBOMs for managing software and systems risk.

Software Engineering Institute


SBOMs are becoming crucial in managing software and systems risk and resilience. There are multiple efforts underway to expand the use of SBOMs. One driving factor is the reference to SBOMs in EO 14028. More importantly, there is wide and growing recognition that the risks posed by a lack of transparency in software must be addressed to help ensure security and promote resilience in systems.

The practices and processes outlined in this SBOM Framework can provide a starting point to build that structure for SBOM efforts. The SBOM Framework addresses the establishment of processes to manage multiple SBOMs and the vast data that they can provide; however, those processes will likely require further tuning as pilot-related activities provide input about improvements and tooling.

This SBOM Framework can help promote the use of SBOMs and establish a more comprehensive set of practices and processes that organizations can leverage as they build their programs.