The Software Bill of Materials (SBOM)

A Software Bill of Materials (SBOM) is a formal and query-able record containing the details and relationships of various open-source, third-party, or commercial components used in building software.

Minimum SBOM Content Requirements

As specified in The Minimum Elements For a Software Bill of Materials (SBOM) issued by the United States Department of Commerce, the SBOM should contain the following data elements at a minimum:

Component supplier
Component name and version
Other unique identifiers
Dependency relationship
SBOM author
Timestamp

SBOM Formats

Standard SBOM formats are now available for communicating SBOM information to meet the government requirements.

SPDX (Software Package Data Exchange) is an open standard for communicating Software Bill of Materials (SBOM) information
CycloneDX is a lightweight Software Bill of Materials (SBOM) standard designed for use in application security contexts and supply chain component analysis
SWID (Software Identification Tagging) provides a transparent way for organizations to track the software installed on their managed devices

Minimum SBOM Content Requirements​

SBOM Formats​

Minimum SBOM Content Requirements

SBOM Formats