Getting Started
Assess readiness and plan your SBOM implementation journey
Before implementing SBOM and VEX practices, assess your organization's readiness, understand maturity levels, and plan resources appropriately. Rushing into implementation without preparation often leads to incomplete coverage, poor quality, or unsustainable manual processes.
Why start here
Organizations frequently ask "where do we start?" The answer depends on:
- Your role (producer vs consumer)
- Current capabilities and infrastructure
- Available resources (time, budget, skills)
- Regulatory drivers and timelines
- Existing security and development practices
This section helps you:
- Assess readiness — identify capability gaps and dependencies before starting
- Understand maturity levels — know what "good" looks like at each stage
- Choose your starting point — select appropriate workflows for your context
- Plan resources — estimate realistic time, budget, and skill requirements
Quick self-assessment
Answer these questions to determine where to focus:
For producers:
- Do you have automated builds for your software? → If no, see Choosing Your Starting Point
- Can you identify all third-party components in your products? → If no, see Organizational Readiness
- Do you have resources to maintain SBOM generation long-term? → If unsure, see Resource Planning
For consumers:
- Do you have a system to store and query SBOMs? → If no, see Resource Planning
- Can you correlate SBOMs with vulnerability data? → If no, see Maturity Levels
- Do you have processes for requesting SBOMs from suppliers? → If no, see Consumer Workflows
Maturity progression
Most organizations progress through these stages:
Level 1 (Basic) — Manual generation, basic formats, ad-hoc sharing
- Characteristics: Manual SBOM creation, limited automation, basic metadata
- Timeline: 1-3 months to establish
- Outcome: Meet minimum compliance requirements
Level 2 (Advanced) — Automated generation, quality gates, systematic lifecycle management
- Characteristics: CI/CD integration, validation pipelines, VEX coordination, comprehensive metadata
- Timeline: 6-12 months from Level 1
- Outcome: Operational excellence and proactive vulnerability management
See Maturity Levels Overview for detailed characteristics and progression strategies.
Common starting scenarios
Scenario 1: Regulatory compliance deadline
Context: You must provide SBOMs to customers or regulators within 3 months.
Recommended path:
- Start with Organizational Readiness rapid assessment
- Target Level 1 (Basic) initially
- Use Producer Workflows - Generate SBOMs for manual approach
- Plan Level 2 automation after meeting deadline
Scenario 2: Customer request for transparency
Context: Major customer requests SBOMs as procurement requirement.
Recommended path:
- Review Resource Planning for one-time vs ongoing costs
- Evaluate Choosing Your Starting Point based on product portfolio size
- Consider Security and Access Control for sensitive products
Scenario 3: Improving vulnerability management
Context: You want to use SBOMs to accelerate vulnerability response (e.g., Log4j scenarios).
Recommended path:
- Start as consumer: Consumer Workflows
- Focus on Vulnerability Management use case
- Understand SBOM and VEX Lifecycle for dynamic updates
- Plan Integration with Tools
Scenario 4: Supply chain transparency program
Context: Building comprehensive supply chain visibility across organization.
Recommended path:
- Complete Organizational Readiness full assessment
- Plan both producer and consumer capabilities
- Review Maturity Progression Pathways for long-term roadmap
- Consider Skills and Training requirements
Next steps
Choose your path:
- Need to assess readiness? → Organizational Readiness Assessment
- Want to understand what "good" looks like? → Maturity Levels Overview
- Ready to choose your approach? → Choosing Your Starting Point
- Need to estimate resources? → Resource Planning