Maturity Levels
Operational characteristics that distinguish L1 and L2 SBOM maturity
The framework defines two maturity levels for SBOM operations: L1 (Basic) and L2 (Advanced). The Content Requirements define these levels in terms of data fields and artifact completeness. This page defines them in terms of operational practices: how organisations generate, validate, distribute and act on transparency artifacts.
Level 1: Basic
Organisations at Level 1 generate and share SBOMs to meet regulatory and customer requirements. Generation relies on automated scanning with manual enrichment, and is tied to release milestones rather than continuous integration.
Level 2: Advanced
At Level 2, SBOM and VEX practices are integrated into development and security workflows. Transparency operates as an automated, enforced pipeline rather than a periodic manual task.
Operational expectations by level
| Description | L1 | L2 |
|---|---|---|
| Generation | ||
| SBOM generation combines automated scanning with manual enrichment | ✓ | |
| SBOM generation is fully automated in CI/CD pipelines | ✓ | |
| SBOMs are generated at release milestones | ✓ | |
| SBOMs are generated on every build | ✓ | |
| Metadata enrichment (build environment, tool versions, lifecycle phase) is automated | ✓ | |
| Quality and validation | ||
| SBOMs pass basic format validation | ✓ | |
| Quality gates validate completeness and block builds with incomplete SBOMs | ✓ | |
| Distribution | ||
| SBOMs are shared through ad-hoc channels (email, portal, shared folder) | ✓ | |
| SBOMs are distributed through versioned repositories with API access | ✓ | |
| SBOMs are cryptographically signed as part of the build process | ✓ | |
| Vulnerability management (VEX) | ||
| VEX documents are created reactively on customer request or regulatory deadline | ✓ | |
| Monitoring systems generate draft VEX documents automatically when new CVEs are published | ✓ | |
| VEX status is updated automatically when fixes ship | ✓ | |
| Organisational ownership | ||
| A single team manages SBOM responsibilities with informal handoffs | ✓ | |
| Ownership is distributed: development owns generation quality, security owns VEX, operations owns distribution | ✓ | |
| Monitoring and metrics | ||
| No systematic tracking of SBOM coverage or quality | ✓ | |
| Coverage, quality, and response-time metrics are reviewed regularly | ✓ |
What each level delivers
Level 1 delivers regulatory compliance (like CRA, NIS2), audit evidence, a component inventory for manual vulnerability assessment and procurement readiness. Keeping artifacts current requires manual effort.
Level 2 makes transparency a side effect of existing development workflows rather than a separate compliance activity. Automated generation reduces per-SBOM effort from hours to minutes, making portfolio-wide coverage practical. Vulnerability correlation against published CVEs cuts incident response from days to minutes. Dependency changes surface before they reach production, and audit trails accumulate without manual reporting effort.