G.1.5 Deliver SBOM

Control Details

Objective

By providing SBOM, enable internal and external customers to analyze the contents of the final software package, including the version of the dependencies.

Definition

Generate (preferably during build time) and provide a SBOM (in a machine-readable, NTIA-supported format) for generated products, including AI models. SBOMs should be digitally signed using a verifiable and trusted key. VEX data for all components should also be considered.

Assessment Questions

1. How do you deliver an SBOM and provenance data that satisfy your contracts with software acquirers, such as in a standard-base format?
2. How and when is the SBOM built?
3. What tool do you use?
4. How do you digitally sign the SBOMs?
5. How do you produce a VEX supplement for your SBOM, if any?
6. What is your process for generating the VEX information, if any?

Reference sources

1. EO 4e(vi) 4e(vii) 4e(x)
2. SSDF PS.3.2
3. SSDF-AI PS.3.2
4. SLSA Source L3: Signed and auditable provenance
5. BSIMM SE3.6
6. 800-161 SR-4
7. OWASP-SCVS 1.4 2
8. S2C2F REB-3 REB-4
9. CNCF-SSC M-V: Generate an immutable SBOM of code
10. Self-attestation 3
11. SAMM I-SB-2-B
12. OSPS OSPS-QA-02