The SEI SBOM Framework helps organizations use a software bill of materials (SBOM) for third-party software management. We created it, in part, in response to Executive Order (EO) 14028, Improving the Nation's Cybersecurity. Released in the wake of the SolarWinds and Apache Log4j supply chain attacks, EO 14028 requires U.S. government agencies to enhance software supply chain security, transparency, and integrity through the use of SBOMs. If your organization produces or supplies software for the U.S. government, perhaps you have already done your due diligence and complied with EO 14028. You have analyzed your code, extracted the relevant data, composed your SBOM, and made it available. You could declare victory and leave it at that. But consider all the data you have assembled and must maintain -- why not make good use of it? In this SEI Blog post, I will examine ways you can leverage your SBOM data, using the SEI SBOM Framework, to improve your software security and inform your supply chain risk management.
Publisher StatementThis material is based upon work funded and supported by the Department of Defense under Contract No. FA8702-15-D-0002 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The view, opinions, and/or findings contained in this material are those of the author(s) and should not be construed as an official Government position, policy, or decision, unless designated by other documentation. References herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by Carnegie Mellon University or its Software Engineering Institute.
This report was prepared for the SEI Administrative Agent AFLCMC/AZS 5 Eglin Street Hanscom AFB, MA 01731-2100.
NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution.
Copyright StatementCopyright 2024 Carnegie Mellon University.