You are here

Community-Drafted Documents on Software Bill of Materials

These documents were drafted by stakeholders in an open and transparent process to address transparency around software components, and were approved by a consensus of participating stakeholders. A “Software Bill of Materials” (SBOM) is effectively a nested inventory, a list of ingredients that make up software components. These documents provide guidance on what an SBOM is and how it can be used, and a practical case study from the healthcare sector.

Framing Software Component Transparency: Establishing a Common Software Bill of Material (SBOM)

This resource defines SBOM concepts and related terms, offers a baseline of how software components are to be represented, and discusses the processes around SBOM creation. With terminology and a background of the NTIA process, it serves as a detailed introduction to SBOM.

Roles and Benefits for SBOM Across the Supply Chain

This resource summarizes the benefits of having an SBOM from the perspective of those who make software, those who choose or buy software, and those who operate it. It characterizes the security, quality, efficiency, and other organizational benefits, as well as the potential for the broader ecosystem across the supply chain.

Survey of Existing SBOM Formats and Standards

This resource summarizes existing standards, formats, and initiatives as they apply to identifying the external components and shared libraries used in the construction of software products for SBOMs, highlighting two key formats of SPDX and SWID. The group analyzed efforts already underway by other groups related to communicating this information in a machine-readable manner.

Healthcare Proof of Concept Report

This resource documents the successful execution and lessons learned of a proof-of-concept exercise led by medical device manufacturers (MDMs) and healthcare delivery organizations (HDOs). The exercise examined the feasibility of SBOMs being generated by MDMs and used by HDOs as part of operational and risk management approaches to medical devices at their hospitals.

For more information, please contact afriedman@ntia.gov