A Software Bill of Materials (SBOM) is a nested list of the ingredients in a software package and it is becoming the key tool in the fight to reduce risks to the software supply chain.
The NTIA (National Telecommunications and Information Administration) has defined an SBOM as:
"... a formal record containing the details and supply chain relationships of various components used in building software
... An SBOM provides those who produce, purchase, and operate software with information that enhances their understanding of the supply chain, which enables multiple benefits, most notably the potential to track known and newly emerged vulnerabilities and risks."
Attempting to manually compile an SBOM would be costly, time-consuming, and prone to errors.
With the SBOM creation feature in our FACT Platform, you can:
Recent work done by the NTIA on defining the minimum components of an SBOM has identified three supported formats:
Note that the advancement of SBOMs, including scaling and operationalization, has transitioned from NTIA to CISA (Cybersecurity and Infrastructure Security Agency).
The regulatory landscape is rapidly expanding in the wake of high-profile supply chain cyber attacks like SolarWinds and Kaseya.
Now that SBOMs have been defined and mandated for US government agencies, purchasers of critical software are also expecting vendors to disclose the contents of their products through SBOMs.