A “Software Bill of Materials” (SBOM) is effectively a nested inventory, a list of ingredients that make up software components. The following documents were drafted by stakeholders in an open and transparent process to address transparency around software components, and were approved by a consensus of participating stakeholders.
Introduction to SBOM
The Two-Page overview provides high-level information on SBOM’s background and eco-wide solution, the NTIA process, and an example of an SBOM.
The FAQ document outlines detailed information, benefits, and commonly asked questions.
Resources, Research, & Reports
The following documents, drafted and approved in 2019, provide guidance on what an SBOM is and how it can be used, and a practical case study from the healthcare sector.
This resource defines SBOM concepts and related terms, offers a baseline of how software components are to be represented, and discusses the processes around SBOM creation. With terminology and a background of the NTIA process, it serves as a detailed introduction to SBOM.
This resource summarizes the benefits of having an SBOM from the perspective of those who make software, those who choose or buy software, and those who operate it. It characterizes the security, quality, efficiency, and other organizational benefits, as well as the potential for the broader ecosystem across the supply chain.
This resource summarizes existing standards, formats, and initiatives as they apply to identifying the external components and shared libraries used in the construction of software products for SBOMs, highlighting two key formats of SPDX and SWID. The group analyzed efforts already underway by other groups related to communicating this information in a machine-readable manner.
This resource documents the successful execution and lessons learned of a proof-of-concept exercise led by medical device manufacturers (MDMs) and healthcare delivery organizations (HDOs). The exercise examined the feasibility of SBOMs being generated by MDMs and used by HDOs as part of operational and risk management approaches to medical devices at their hospitals.
For more information, please contact firstname.lastname@example.org
For upcoming and archived meeting details, please visit the NTIA Software Component Transparency page.