The Software Bill of Materials (SBOM)

A Software Bill of Materials (SBOM) is a formal and query-able record containing the details and relationships of various open-source, third-party, or commercial components used in building software.

Minimum SBOM Content Requirements

As specified in The Minimum Elements For a Software Bill of Materials (SBOM) issued by the United States Department of Commerce, the SBOM should contain the following data elements at a minimum:

Component supplier

Component name and version

Other unique identifiers

Dependency relationship

SBOM author

Timestamp

SBOM Formats

Standard SBOM formats are now available for communicating SBOM information to meet the government requirements.

SPDX (Software Package Data Exchange) is an open standard for communicating Software Bill of Materials (SBOM) information

CycloneDX is a lightweight Software Bill of Materials (SBOM) standard designed for use in application security contexts and supply chain component analysis

SWID (Software Identification Tagging) provides a transparent way for organizations to track the software installed on their managed devices

Minimum SBOM Content Requirements​

SBOM Formats​

Minimum SBOM Content Requirements

SBOM Formats