This repository indexes and holds copies of various documents drafted collaboratively by the CISA SBOM Community and through the NTIA Multistakeholder Process on Software Component Transparency. Some closely related documents (such as translations) are also included.
Neither CISA nor the NTIA maintain this repository, nor does this repository represent official CISA, NTIA, or U.S. Government policy. CISA, the NTIA, and the U.S. Government do not specifically adopt or endorse the views expressed in this repository. See the CISA SBOM Community Legal Explanation (copy)for more information. To learn more about the CISA-facilitated SBOM Community, including how to join ongoing efforts, contact [email protected].
Documents mirrored in this repository are primarily sourced from the CISA SBOM Resources Library and the NTIA Software Bill of Materials page. Document summaries are also largely adapted from the CISA and NTIA sources.
The maintainers acknowledge and thank CISA, NTIA, and the many volunteers who supported and contributed to this body of work.
This document provides examples of how software bill of materials (SBOM) can be shared between different actors across the software supply chain. It focuses on the processes and mechanisms for sharing SBOMs, assuming one party has created an SBOM and another party wants to access it. Additionally, this document builds upon the “SBOM Sharing Lifecycle Report,” and the “SBOM Sharing Roles and Considerations” document drafted by the CISA facilitated Sharing and Exchanging SBOM community-driven workstream.
| CISA | May 2025 | source | copy |
Further defines and clarifies SBOM Attributes from the Second Edition, offering descriptions of the minimum expected, recommended practices, and aspirational goal for each Attribute.
| CISA | September 2024 | source | copy |
A detailed foundation of SBOM that defines SBOM concepts and related terms, offers an updated baseline of how software components are to be represented, and discusses the processes around SBOM creation.
| NTIA | October 2021 | source | copy |
| NTIA | November 2019 | source | copy |
Provides information on the benefits of SBOM, common misconceptions and concerns, creation of an SBOM, distributing and sharing an SBOM, and role specific guidance. Also, the document provides information on SBOM related efforts, such as Vulnerability Exploitability eXchange (VEX), OpenC2, and digital bill of materials (DBOM).
| CISA | June 2024 | source | copy |
Outlines detailed information, benefits, and commonly asked questions.
| NTIA | November 2020 | source | source |
Acknowledging key differences between SaaS and non-SaaS software, this paper discusses the value of SBOM-driven transparency for SaaS and offers recommendations for advancing transparency in SaaS software.
| CISA | May 2024 | source | copy |
Building on the SBOM Sharing Lifecycle Report, this document defines the three roles (SBOM Author, SBOM Consumer, and SBOM Distributor) of the SBOM sharing lifecycle and the factors they should keep in mind or be aware of when engaging in the three phases of the sharing lifecycle (discovery, access, and transport).
| CISA | March 2024 | source | copy |
This document is a guide for creating a build SBOM for products that require producers to assemble a set of products or components.
| CISA | November 2023 | source | copy |
Securing the Software Supply Chain: Recommended Practices for Software Bill of Materials Consumption
This document will provide guidance in line with industry best practices and principles which software developers and software suppliers are encouraged to reference.
| NSA ESF | November 2023 | source | copy |
Securing the Software Supply Chain: Recommended Practices for Managing Open-Source Software and Software Bill of Materials
This document aligns with industry best practices and principles, including managing open source software and software bills of materials, that software developers and software suppliers can reference.
| NSA ESF | November 2023 | source | copy |
The Cybersecurity and Infrastructure Security Agency (CISA) announces the publication of “Software Identification Ecosystem Option Analysis,” which is a white paper on software identification ecosystems and requests public comment on the paths forward identified by the paper and on the analysis of the merits and challenges of the software identifier ecosystems discussed. Additionally, CISA requests input on analysis or approaches currently absent from the paper.
| CISA | October 2023 | source | copy |
The purpose of this report is to enumerate and describe the different parties and phases of the SBOM sharing lifecycle and to assist readers in choosing suitable SBOM sharing solutions based on the amount of time, resources, subject-matter expertise, effort, and access to tooling that is available to the reader to implement a phase of the SBOM sharing lifecycle. This report also highlights SBOM sharing survey results obtained from interviews with stakeholders to understand the current SBOM sharing landscape.
| CISA | April 2023 | source | copy |
This document summarizes some common types of SBOMs that tools may create today, along with the data typically presented for each type of SBOM. It was drafted by a community-led working group on SBOM Tooling and Implementation, facilitated by CISA.
| CISA | April 2023 | source | copy |
This document provides an explanation of SBOMs and SBOM generation, including the necessary content, tools, and formats and offering examples. The document also includes information on SPDX and SWID formats.
| NTIA | Software Transparency Healthcare POC | 2021 | source | copy |
This document contains a guide intended to help the reader to understand and dispel common, often sincere myths and misconceptions about SBOM. This list is not intended to be comprehensive.
| NTIA | November 2021 | source | copy |
This playbook outlines workflows for the acquisition, management, and use of Software Bills of Materials (SBOM) by software consumers. “Software consumer” is broadly defined to include commercial and non-commercial entities acquiring third-party software capabilities from a supplier.
| NTIA | November 2021 | source | copy |
This document enumerates initiatives, guidance, models, frameworks, and reports that explicitly or implicitly highlight the value of Software Bill of Materials (SBOM). This list was compiled as part of the National Telecommunications and Information Administration (NTIA) Multistakeholder Process on Software Component Transparency.
| NTIA | October 2021 | source | copy |
This document provides a summary of the second phase of the Healthcare SBOM PoC, describing the goals and accomplishments related to phase II.
| NTIA | October 2021 | source | copy |
This document describes the software bill of materials (SBOM) proof of concept (PoC) led by medical device manufacturers (MDMs) and healthcare delivery organizations (HDOs), which examined the feasibilty of SBOMs being generated by MDMs and utilized by HDOs as part of operational and risk management approaches to medical devices at their hospitals.
| NTIA | October 2019 | source | copy |
This resource provides an introduction to the practice of SBOM, supporting literature, and the pivotal role SBOMs play in providing much-needed transparency for the software supply chain.
| NTIA | April 2021 | source (en-US, ja) | copy (en-US, ja) |
This document aims to frame the dimensions for what is possible with modern development practices and to support more ocnsistent and effective articulation of needs between requesters and suppliers of SBOMs. The document provides graphical guides to common decision points identified by the NTIA multistakeholder process for SBOM.
| NTIA | April 2021 | source | copy |
This resource reviews the challenges of identifying software components for SBOM implementation with sufficient discoverability and uniqueness. It offers guidance to functionally identify software components in the short term and converge multiple existing identification systems in the near future.
| NTIA | March 2021 | source | copy |
This resource offers a categorization of different types of SBOM tools. It can help tool creators and vendors to easily classify their work, and can help those who need SBOM tools understand what is available.
| NTIA | March 2021 | source | copy |
Executive Order (14028) on Improving the Nation’s Cybersecurity directs the Department of Commerce, in coordination with the National Telecommunications and Information Administration (NTIA), to publish the “minimum elements” for a Software Bill of Materials (SBOM). This is an official report produced by the U.S. government and not developed by the NTIA Multistakeholder Process community.
| NTIA | July 2021 | [about] | [source] | [copy] |
This resource outlines workflows for the production of Software Bills of Materials (SBOM) and their provision by software suppliers, including software vendors supplying a commercial product, contract software developers supplying a software deliverable to clients, and open source software (OSS) development projects making their capabilities publicly available.
| NTIA | 2021 | source | copy |
This resource describes how SBOM data can flow down the supply chain, and provides a small set of SBOM discovery and access options to support flexibility while minimizing the burden of implementation.
| NTIA | February 2021 | source | copy |
The original survey was published in late 2019, after drafts were reviewed by the broader NTIA community. As the SBOM community grew, and implementation increased, the original working group expanded its focus to highlight the benefits of the SBOM tooling ecosystem, and the value of coordinating and harmonizing across the technical SBOM world. As part of this effort, the working group observed that, by 2021, parts of the document were out of date or less relevant. This 2021 revision offers several improvements on the original draft, and should be considered the stakeholder consensus until further updated. A key takeaway—that the baseline SBOM data can be conveyed in any of the formats described below, and the ecosystem can and should support interoperability between these data formats—holds for this revised document.
| NTIA | 2021 | source | copy |
| NTIA | 2019 | source | copy |
This document provides high-level information on SBOM’s background and ecosystem-wide solution, the NTIA process, and an example of an SBOM.
| NTIA | 2020 | source | copy |
This resource summarizes the use cases and benefits of having an SBOM from the perspective of those who make software, those who choose or buy software, and those who operate it. It characterizes the security, quality, efficiency, and other organizational benefits, as well as the potential for the broader ecosystem across the supply chain.
| NTIA | November 2019 | source | copy |
This document lays out the different perspectives of those who produce software, choose software, and operate software, and how they interact with the SBOM ecosystem.
| NTIA | November 2019 | source | copy |
Use cases and recommendations to operationalize Software Bills of Materials (SBOMs) for Artificial Intelligence (AI). publication
Reviews, summarizes, and analyzes VEX practices to better understand how VEX is being used or considered for use.
| CISA | March 2025 | source (paper, data) | copy (paper, data) |
This document seeks to explain the circumstances and events that could lead an entity to issue Vulnerability Exploitability eXchange (VEX) information and describes the entities that create or consume VEX information. Whether, and when, to issue VEX information is a business decision for most suppliers and possibly a more individual decision for independent open source developers. This document identifies factors that influence the decision.
| CISA | November 2023 | source | copy |
This document specifies the minimum elements to create a Vulnerability Exploitability eXchange (VEX) document. These elements are derived from, but may not fully conform to, existing VEX documentation and implementations. It was drafted and debated by experts from across the security and software world, representing different sectors and backgrounds.
| CISA | April 2023 | source | copy |
This resource provides the recommended NOT AFFECTED status justifications of a VEX document and offers the reader examples of when the different status justifications might be used. VEX documents may contain a justification statement of why the VEX document creator chose to assert that the product’s status is NOT AFFECTED. This document was drafted by stakeholders through an open and transparent, community-led process.
| CISA | June 2022 | source | copy |
This resource provides the recommended minimum data elements of a VEX document and offers a set of scenarios with proposed implementations. This document was drafted by stakeholders through an open and transparent, community-led process and is part of a series of descriptions and guidance documents for VEX.
| CISA | April 2022 | source | copy |
A brief introduction to VEX, which allows a software supplier to clarify whether a specific vulnerability actually affects a product.