Software Engineering Institute

This white paper looks at potential uses for an SBOM within various Operational Test & Evaluation (OT&E) activities. It looks at the history and background of SBOMs, recent developments (as of the creation of the white paper), general challenges and questions to ask, five specific use cases, and the conclusion and recommendations at this time.

SBOMs, at this point, are in early and varying stages of adoption across industry and within the DoD. There are still issues with the quality (e.g., completeness, accuracy, currency, etc.) of the SBOMs being produced as well as adherence to the minimum essential elements identified by the U.S. Department of Commerce. Legacy systems as well as cloud-based systems will present a challenge for producing SBOMs. The DoD is still working on proposed guidance for addressing the SBOM requirement by programs.

Given this early phase of adoption, it is recommended that SBOMs be used to augment but not replace the current methods used by Operational Test (OT) personnel in performance of the testing functions and not to rely solely on the SBOM information. As the quality issues as well as widespread adoption become more prevalent over time, SBOMs will prove to be more useful for OT activities.