STP
SBOM Observer/

Operational Model

How to integrate software transparency into your organization's operations

The Operational Model provides practical guidance for implementing Software Bills of Materials (SBOMs), Vulnerability Exploitability eXchange (VEX), and Vulnerability Disclosure Reports (VDRs) within your organization. This guide focuses on workflows, processes, and integration strategies rather than content specifications.

While Content Requirements defines what information should be in your transparency artifacts, the Operational Model explains how to produce, distribute, and use those artifacts effectively.

What This Guide Covers

This guide helps you assess organizational readiness, choose appropriate workflows based on your role and maturity level, understand when to update SBOMs versus VEX documents, integrate transparency practices into existing development and security processes, and progress from manual processes to automated, policy-driven operations.

Whether you're a software producer generating and distributing SBOMs and VEX documents, a software consumer requesting and using transparency artifacts, or part of security, procurement, development, or operations teams integrating SBOM data into your workflows—this guide provides the operational context you need.

How to Navigate This Guide

If you're just starting, begin with Getting Started to assess readiness and choose your starting point. Understanding Core Concepts like SBOM/VEX lifecycle management prevents common mistakes.

For software producers, explore Producer Workflows covering generation, enrichment, validation, distribution, and VEX publication. Start with Generate SBOMs and progress through the workflow stages.

For software consumers, review Consumer Workflows covering supplier requests, ingestion, quality validation, tool integration, and monitoring. Begin with Request from Suppliers.

For specific problems, jump directly to Use Cases covering vulnerability management, incident response, supplier evaluation, regulatory compliance, license management, and end-of-life visibility.

For improving existing practices, explore Implementation Guides for maturity progression pathways, automation strategies, skills development, and avoiding common pitfalls.

For complex scenarios, see Advanced Topics covering transitive dependencies, multi-repository scenarios, legacy systems, format interoperability, and component health monitoring.

Relationship to Other Resources

This Operational Model complements the Content Requirements which defines required fields and data quality standards, and the Assessment Tool which measures your organization's transparency maturity.

The framework provides an integrated approach connecting content requirements, operational workflows, and maturity assessment with consistent leveling. It emphasizes practical "how" and "when" guidance over repeating standard specifications, supports progressive pathways from manual processes to full automation, addresses critical gaps like SBOM/VEX lifecycle synchronization, and includes real-world scenarios with edge cases and troubleshooting.

Getting Started

If you're new to SBOM operations, start with Organizational Readiness to assess whether your organization is ready to begin implementation.

If you understand the basics but need specific workflow guidance, jump to Producer Workflows or Consumer Workflows based on your role.

Edit on GitHub

SBOM Examples

Download example SBOM, VEX, and VDR documents in standardized formats

Organizational Readiness

Essential foundations and prerequisites for successful SBOM implementation

On this page

What This Guide CoversHow to Navigate This GuideRelationship to Other ResourcesGetting Started