An SBOM is effectively an ingredient list or a nested inventory, a “formal record containing the details and supply chain relationships of various components used in building software,” the EO states. The EO requires NTIA to produce three proposed minimum elements that should go into any SBOM
Data fields such as supplier name, component name, version of the component, and more. Operational considerations such as frequency of SBOM generation, depth of the dependency tree, access to SBOM data, and more
Support for automation making sure the data can be produced at scale and consumed at scale using three different data formats already standardized, including three leading file formats known as SPDX, CycloneDX, and SWID.
For some security professionals, SBOMs in a private sector organization could be a sign of the organization’s overall caliber.