External Resources
Curated index of authoritative documents for software transparency work
Documents grouped by standards, regulation, implementation guidance, complementary frameworks and community work.
Standards
Formal specifications that define how transparency artifacts are structured, encoded and verified.
| Resource | Description |
|---|---|
| SPDX Specification | Format and information model for software bills of materials; published as ISO/IEC 5962 |
| CycloneDX Specification | OWASP format for SBOMs, VEX, and supply chain attestations |
| OpenVEX Specification | Minimal JSON format for vulnerability exploitability statements |
| CSAF Standard (v2.0, Errata 01) | OASIS format for machine-readable security advisories, including the VEX profile |
| NTIA SBOM Minimum Elements | 2021 NTIA baseline for minimum SBOM data fields, automation, and practices |
| 2025 Minimum Elements for a Software Bill of Materials (SBOM) - Public Comment Draft | Draft CISA update to the NTIA minimum elements; tracks emerging US expectations |
| OWASP SCVS v2 | OWASP Software Component Verification Standard for evaluating SBOM content quality |
Regulatory and policy guidance
Laws, regulations, and government policy that establish SBOM and supply chain requirements.
| Resource | Description |
|---|---|
| EU CRA | EU Cyber Resilience Act: cybersecurity and SBOM obligations for manufacturers of products with digital elements |
| NIS2 Directive | EU directive requiring supply chain risk management and incident reporting for essential and important entities |
| BSI TR-03183-2: Software Bill of Materials | German technical guideline for SBOM content, referenced in CRA interpretation |
| Executive Order 14028: Improving the Nation's Cybersecurity | 2021 US executive order that introduced federal SBOM requirements and triggered NIST SSDF and related guidance |
| OMB M-26-05: Adopting a Risk-based Approach to Software and Hardware Security | Current US federal guidance for software and hardware assurance; allows agencies to require a current SBOM on request |
Authoritative guides
Implementation guidance from standards bodies, coordination centers and government agencies.
| Resource | Description |
|---|---|
| ENISA SBOM Analysis: Towards an Implementation Guide (v1.20, Dec 2025) | Current ENISA implementation guide for SBOM programs |
| Consolidated SBOM and CSAF/VEX Operational Framework | FIRST practical guidance for how SBOM and CSAF/VEX work together operationally |
| PSIRT Maturity Document | FIRST guidance for building the response capability behind high-quality advisories and VEX |
| OpenChain SBOM Quality Management Reference Material | OpenChain community reference material for SBOM quality management |
| Framing Software Component Transparency (2024) | CISA conceptual framework for SBOM structure, purpose, and transparency expectations |
| SBOM FAQ (2024) | Current CISA introduction to SBOM concepts, uses, and common questions |
| Recommended Practices for SBOM Consumption (2024) | CISA guidance for organizations that receive, assess, and act on supplier SBOMs |
| Securing the Software Supply Chain: Recommended Practices Guide for Suppliers and Developers | CISA guidance for software producers on secure supply chain practices and artifact delivery |
| Software Acquisition Guide for Government Enterprise Consumers | CISA guidance for procurement and acquisition teams evaluating software assurance, including provenance and SBOM-related questions |
| CERT Guide to Coordinated Vulnerability Disclosure | CERT/CC guide to coordinated vulnerability disclosure workflows |
| NIST SP 800-218: Secure Software Development Framework (SSDF) | Foundational US secure development framework referenced by federal SBOM policy |
| NIST SP 800-161 Rev 1: Cybersecurity Supply Chain Risk Management Practices (C-SCRM) | Foundational US guidance for managing supply chain cybersecurity risk |
Complementary frameworks
Vulnerability triage and build-integrity frameworks used alongside SBOM work.
| Resource | Description |
|---|---|
| SSVC: Stakeholder-Specific Vulnerability Categorization | CERT/CC framework for categorizing and prioritizing vulnerability response |
| SLSA: Supply-chain Levels for Software Artifacts | Supply chain integrity framework for build provenance and artifact attestation |
Community, working groups, and research
Organizations, working groups, and industry research that maintain or track the SBOM ecosystem.
| Resource | Description |
|---|---|
| CISA SBOM Resources | CISA landing page collecting SBOM guidance, FAQs, and reference material |
| OpenSSF | Linux Foundation umbrella for open source security projects, tooling, and working groups |
| OpenChain Project | Community behind the OpenChain ISO standards and SBOM quality reference material |
| FIRST PSIRT SIG | FIRST special interest group for product security incident response teams |
| ORCWG CRA Hub | Open Regulatory Compliance Working Group CRA resources including community FAQ |
| CERT/CC | Coordination center behind SSVC and the CVD guide |
| Linux Foundation: State of Software Bill of Materials Report | Linux Foundation Research report on SBOM adoption, maturity, and practice |