diff --git a/.markdownlint.json b/.markdownlint.json
index ce6da782..71428f06 100644
--- a/.markdownlint.json
+++ b/.markdownlint.json
@@ -1,5 +1,6 @@
 {
     "MD013": {
-        "code_blocks": false
+        "code_blocks": false,
+		"tables": false
     }
 }
\ No newline at end of file
diff --git a/README.md b/README.md
index af2e89f9..a8dddc05 100755
--- a/README.md
+++ b/README.md
@@ -39,6 +39,7 @@ minimising data loss during conversion, pull requests are welcome :)
 | License information in files | Needs review, the way SPDX and CycloneDX handle license information evidence is slightly different. |
 | Snippet Information | Snippets are not currently supported by CycloneDX |
 | Non-SPDX licenses | Implementation pending |
+| CPE for Component Identity | SPDX supports multiple CPEs for a package. But doesn't support specifying if any are a component identifier. The first one is used as component CPE.|
 
 #### CycloneDX -> SPDX
 
diff --git a/src/CycloneDX.Spdx.Interop/Converters/v2_3/Helpers/Component/ExternalRefs.cs b/src/CycloneDX.Spdx.Interop/Converters/v2_3/Helpers/Component/ExternalRefs.cs
index 9f857584..6d4a65b5 100644
--- a/src/CycloneDX.Spdx.Interop/Converters/v2_3/Helpers/Component/ExternalRefs.cs
+++ b/src/CycloneDX.Spdx.Interop/Converters/v2_3/Helpers/Component/ExternalRefs.cs
@@ -142,6 +142,13 @@ public static void AddSpdxExternalRefs(this Component component, List<ExternalRe
                         {
                             refPropValue = $"{extRef.ReferenceLocator} {extRef.Comment}";
                         }
+                        if ((refPropName == PropertyTaxonomy.EXTERNAL_REFERENCE_SECURITY_CPE22 ||
+                            refPropName == PropertyTaxonomy.EXTERNAL_REFERENCE_SECURITY_CPE23) && component.Cpe == null)
+                        {
+                            // For the first seen cpe, assume it is the component's cpe.
+                            component.Cpe = refPropValue;
+                            continue;
+                        }
 
                         if (refPropName == PropertyTaxonomy.EXTERNAL_REFERENCE_PACKAGE_MANAGER_PURL && component.Purl == null)
                         {
diff --git a/src/CycloneDX.Spdx.Interop/Converters/v2_3/Helpers/SpdxDocumentHelpers.cs b/src/CycloneDX.Spdx.Interop/Converters/v2_3/Helpers/SpdxDocumentHelpers.cs
index 4d7eb619..9d6712b8 100644
--- a/src/CycloneDX.Spdx.Interop/Converters/v2_3/Helpers/SpdxDocumentHelpers.cs
+++ b/src/CycloneDX.Spdx.Interop/Converters/v2_3/Helpers/SpdxDocumentHelpers.cs
@@ -200,7 +200,7 @@ public static void AddCycloneDXComponents(this SpdxDocument doc, Bom bom)
                 package.Checksums = component.GetSpdxChecksums();
                 package.ExternalRefs = component.GetSpdxExternalRefs();
 
-                if (component.Purl != null)
+                if (component.Cpe != null)
                 {
                     if (package.ExternalRefs == null)
                     {
@@ -208,6 +208,23 @@ public static void AddCycloneDXComponents(this SpdxDocument doc, Bom bom)
                     }
 
                     // Insert at the start, so that this correctly roundtrips, i.e. if there are
+                    // multiple CPEs, always pick the first as the component's cpe.
+                    var referenceType = component.Cpe.StartsWith("cpe:/", true, culture: System.Globalization.CultureInfo.InvariantCulture) ? "cpe22Type" : "cpe23Type";
+                    package.ExternalRefs.Insert(0, new ExternalRef
+                    {
+                        ReferenceCategory = ExternalRefCategory.SECURITY,
+                        ReferenceType = referenceType,
+                        ReferenceLocator = component.Cpe,
+                    });
+                }
+              
+                if (component.Purl != null)
+                {
+                    if (package.ExternalRefs == null)
+                    {
+                        package.ExternalRefs = new List<ExternalRef>();
+                    }
+
                     // multiple PURLs, always pick the first as the component's PURL.
                     package.ExternalRefs.Insert(0, new ExternalRef
                     {
diff --git a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromSpdxToCDXTest_v2.2document.snap b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromSpdxToCDXTest_v2.2document.snap
index 06da4903..ee18eae0 100644
--- a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromSpdxToCDXTest_v2.2document.snap
+++ b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromSpdxToCDXTest_v2.2document.snap
@@ -111,6 +111,7 @@
         }
       ],
       "copyright": "Copyright 2008-2010 John Smith",
+      "cpe": "cpe:2.3:a:pivotal_software:spring_framework:4.1.0:*:*:*:*:*:*:*",
       "externalReferences": [
         {
           "url": "http://ftp.gnu.org/gnu/glibc/glibc-ports-2.15.tar.gz",
@@ -170,10 +171,6 @@
           "name": "spdx:package:originator:email",
           "value": "contact@example.com"
         },
-        {
-          "name": "spdx:external-reference:security:cpe23",
-          "value": "cpe:2.3:a:pivotal_software:spring_framework:4.1.0:*:*:*:*:*:*:*"
-        },
         {
           "name": "spdx:external-reference:other:http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301#LocationRef-acmeforge",
           "value": "acmecorp/acmenator/4.1.3-alpha This is the external ref for Acme"
diff --git a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromSpdxToCDXTest_v2.3document.snap b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromSpdxToCDXTest_v2.3document.snap
index 780421a1..fde536ec 100644
--- a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromSpdxToCDXTest_v2.3document.snap
+++ b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromSpdxToCDXTest_v2.3document.snap
@@ -107,6 +107,7 @@
         }
       ],
       "copyright": "Copyright 2008-2010 John Smith",
+      "cpe": "cpe:2.3:a:pivotal_software:spring_framework:4.1.0:*:*:*:*:*:*:*",
       "externalReferences": [
         {
           "url": "http://ftp.gnu.org/gnu/glibc/glibc-ports-2.15.tar.gz",
@@ -182,10 +183,6 @@
           "name": "spdx:checksum:adler32",
           "value": "85ed0817af83a24ad8da68c2b5094de69833983c"
         },
-        {
-          "name": "spdx:external-reference:security:cpe23",
-          "value": "cpe:2.3:a:pivotal_software:spring_framework:4.1.0:*:*:*:*:*:*:*"
-        },
         {
           "name": "spdx:external-reference:persistent-id:swh",
           "value": "acmecorp/acmenator/4.1.3-alpha This is the external ref for Acme"