diff --git a/docs/platform_management_plan/vulnerability_management.rst b/docs/platform_management_plan/vulnerability_management.rst
index a94c8d6ac4c..743ebb441fc 100644
--- a/docs/platform_management_plan/vulnerability_management.rst
+++ b/docs/platform_management_plan/vulnerability_management.rst
@@ -189,6 +189,52 @@ Multiple channels are established for vulnerability identification:
 * Security advisories from upstream projects and suppliers
 * Community-reported issues through GitHub issue tracking
 
+SBOM Requirements
+^^^^^^^^^^^^^^^^^
+
+SBOMs are generated for all planned platform releases per :need:`wp__sw_platform_sbom` and for all planned module
+releases per :need:`wp__sw_module_sbom`, using the
+`S-CORE SBOM tool <https://github.com/eclipse-score/sbom-tool>`_.
+All metadata values are derived from automated sources (Bazel dependency graph,
+lockfiles, and external registries) and must not be manually edited.
+
+The following SBOM formats are supported:
+
+.. list-table::
+   :header-rows: 1
+   :widths: 30 25 25 20
+
+   * - Format
+     - Current support
+     - Planned support
+     - Notes
+   * - SPDX
+     - 2.3
+     - 3.x
+     -
+   * - CycloneDX
+     - 1.6
+     -
+     -
+
+Every generated SBOM must include the
+`CISA 2025 minimum elements <https://www.cisa.gov/resources-tools/resources/2025-minimum-elements-software-bill-materials-sbom>`_
+for each component:
+
+* **Component name** - human-readable name of the dependency
+* **Component version** - exact released version string used in the build
+* **Component hash (SHA-256)** - integrity checksum sourced from the module lockfile
+* **Software identifier (PURL)** - package URL uniquely identifying the component by ecosystem, name, and version
+* **License expression** - SPDX license expression concluded for the component
+* **Dependency relationships** - graph edges recording transitive dependency exposure
+* **Supplier** - organisation or individual that distributes the component
+* **Component description** - short summary of what the component does
+* **SBOM author** - entity responsible for producing the SBOM document
+* **Tool name** - name and version of the tool that generated the SBOM
+* **Timestamp** - UTC timestamp recording when the SBOM was generated
+
+CVE information for known vulnerabilities is not included in generated SBOMs, as this is handled by GitHub Dependabot.
+
 Vulnerability Analysis
 ^^^^^^^^^^^^^^^^^^^^^^