SBOM Observer/Scale SBOM

Getting Started

Identify your role, set your ambition level and find the right entry point

Assess now or orient first

Organisations already generating SBOMs or issuing VEX documents can skip orientation. The Maturity Assessment tool scores current practices across generation and distribution, then maps gaps to specific framework sections. Take the assessment.

New to the framework: continue below.

Your role: producer or consumer

Producers build and ship software. They generate SBOMs and publish VEX documents as part of their delivery process.

Consumers procure and operate software they did not build. Procurement leads request SBOMs from suppliers; security engineers correlate that component data against vulnerability feeds to assess exposure.

Both roles share the same Workflows section.

Many organisations are both. Pick whichever role drives the current need and follow that path first.

Your ambition and constraints

The framework defines two maturity levels. L1 (Basic) covers semi-automated generation and ad-hoc distribution. It meets CRA and NIS2 baseline requirements. Organisations with a small product portfolio can operate at L1 indefinitely. See Maturity Levels for the full breakdown.

L2 (Advanced) adds CI/CD integration and systematic VEX lifecycle management. It applies when manual effort stops scaling: dozens of products, or customers demanding signed artifacts with complete dependency trees. Organisations can adopt L2 selectively across capabilities.

One factor overrides internal ambition: the downstream audience. Producers delivering to energy, healthcare, or critical-infrastructure customers will face requirements that L1 tooling rarely satisfies without additional configuration. Review the Content Requirements early if regulated sectors are in scope.

Your next action

Browse Use Cases to identify priorities, then follow the linked Workflows for execution steps. Vulnerability management and supplier transparency are the most common entry points.

Organisations already working with SBOMs can complement that exploration with the Maturity Assessment, which scores current practices across generation and distribution, then maps gaps to specific framework sections.

For field-level data requirements across SBOM, VEX, and VDR artifacts, see Content Requirements.

Edit on GitHub

Operational Model

How to integrate software transparency into your organization's operations

Core Concepts

Foundational concepts for SBOM and VEX operations

On this page

Assess now or orient firstYour role: producer or consumerYour ambition and constraintsYour next action