STP
SBOM Observer/

Choosing Your Starting Point

Selecting appropriate implementation paths based on your context and constraints

The right SBOM implementation path depends on your organization's unique context: technical infrastructure, resource availability, regulatory pressures, and strategic objectives. There's no universal "correct" starting point—what works for a startup with modern CI/CD differs dramatically from what suits an enterprise with decades of legacy systems.

This page helps you identify your situation and select an appropriate initial approach, balancing compliance needs against sustainable long-term practices.

Producer or Consumer First?

Many organizations play both roles—producing software with SBOMs while also consuming SBOMs from suppliers. The question becomes: which capability to build first?

Start as Producer When

You manufacture software products delivered to customers or deployed as services. Your primary transparency obligation is documenting what you've built and shipped. Regulatory requirements like the Cyber Resilience Act, customer procurement demands, or competitive pressures drive the need to generate and share SBOMs.

Producer-first makes sense when: Your software releases drive the timeline. If customers request SBOMs now or regulations require them by specific dates, you must prioritize generation capability. Building consumer capability later won't help meet immediate producer obligations.

You control your codebase and build processes. Generating SBOMs for software you develop is more straightforward than negotiating with external suppliers for their artifacts. Starting with what you control builds internal capability before tackling the harder supplier coordination challenge.

You have modern development infrastructure. Organizations with automated builds, version control, and dependency management can implement producer capability relatively quickly, making it the natural starting point.

Recommended path: Begin with Producer Workflows, focusing initially on Generate SBOMs. Plan consumer capability as a second phase once generation processes are stable.

Start as Consumer When

You procure and operate software from external vendors. Your primary concern is understanding what's deployed in your environment—the components you depend on but didn't build. Risk management, vulnerability prioritization, or procurement evaluation drive your SBOM needs.

Consumer-first makes sense when: Supplier software represents your primary security exposure. If most of your deployed code comes from vendors rather than internal development, understanding supplier components is more urgent than documenting your own relatively small codebase.

You're building enterprise-wide vulnerability management capability. Organizations implementing comprehensive asset inventory and vulnerability correlation programs need consumer capability to fully leverage SBOM data across their entire software estate.

You have procurement leverage. If you're initiating new vendor relationships or renewing existing contracts, you can require SBOM delivery from suppliers starting now. This gives you artifacts to work with while building internal consumption infrastructure.

Recommended path: Begin with Consumer Workflows, starting with Request from Suppliers to begin building your supplier SBOM library while simultaneously developing Ingest and Store capability.

Parallel Development

Larger organizations with resources often build both capabilities simultaneously, recognizing that producer and consumer roles reinforce each other. Generating SBOMs internally teaches you what makes a good SBOM, informing more effective supplier evaluation. Consuming supplier SBOMs reveals edge cases and quality issues you'll want to avoid in your own generation.

If pursuing parallel development, maintain separate teams for each workstream initially to avoid diluted focus, then integrate learnings as both capabilities mature.

Greenfield vs Legacy Systems

Your existing technical infrastructure dramatically influences viable starting points.

Greenfield Implementation Path

Greenfield scenarios—new products, modern tech stacks, or recent CI/CD adoptions—represent the ideal environment for SBOM implementation. You can build transparency practices into your workflows from inception rather than retrofitting them onto established processes.

Leverage these advantages: Start with automated generation from day one. There's no legacy manual process to unwind, no resistance from "how we've always done it." Configure your CI/CD pipeline to produce SBOMs as a standard build artifact from the first release, establishing transparency as a default practice rather than an afterthought.

Choose tools aligned with your stack rather than compromising for legacy compatibility. If you're building Node.js applications, select Node-optimized SBOM tooling. Python projects can use Python-native solutions. This specialization produces higher quality artifacts than generic tools stretched across incompatible ecosystems.

Establish quality standards before bad habits form. Define validation criteria, require component metadata completeness, mandate signing practices—all before releasing your first artifact. It's exponentially easier to maintain high standards from inception than to retrofit them after shipping thousands of SBOMs of varying quality.

Recommended starting workflows: Generate SBOMs - Automated Approach, targeting Level 2 maturity from the outset. Your timeline compresses significantly—potentially achieving operational excellence within 3-6 months rather than the typical 12-18 month progression.

Legacy System Reality

Most organizations face legacy realities: decades-old codebases, manual build processes, undocumented dependencies, or technology stacks predating modern package managers. These constraints don't preclude SBOM implementation but fundamentally alter the viable approach.

Accept these constraints pragmatically: Manual generation is often the only option initially. Without automated builds, you can't automate SBOM creation. Accept this reality and focus on making manual processes as repeatable and documented as possible. Use spreadsheet templates, documented investigation procedures, and standardized artifact formats. The goal isn't perfection—it's establishing component visibility where none existed.

Incomplete SBOMs may be unavoidable. Legacy systems often have components whose origins are lost to time—libraries copied into repositories years ago, custom modifications to open source tools with no documentation, or binary dependencies from defunct vendors. Don't let perfect be the enemy of good. Document what you know, explicitly declare what's unknown using "known unknowns" fields, and improve incrementally.

Tool limitations will surface. Modern SBOM generators assume conventional package managers and standard dependency declarations. Legacy systems using unconventional patterns will produce incomplete results. Manual validation and enrichment become essential quality controls rather than optional enhancements.

Practical legacy approach: Start with your newest or most critical legacy systems—those most likely to have some dependency documentation and highest security significance. Build manual generation capability there before tackling truly ancient systems. Use these initial efforts to build organizational knowledge and identify patterns that might enable partial automation later.

Begin with Generate SBOMs - Manual Approach, accepting that progression to automation may take years. For truly undocumented systems, see Advanced Topics - Legacy Systems for specialized strategies.

Resource Availability Realities

Available resources—time, budget, and skills—fundamentally shape viable implementation paths.

Resource-Constrained Approach

Small teams, limited budgets, or organizations treating SBOM as a compliance checkbox rather than strategic capability must ruthlessly prioritize.

Focus strategies for constrained resources: Implement for subset of products only. Don't attempt portfolio-wide coverage initially. Identify your 5-10 most critical products—those facing regulatory requirements, customer demands, or highest security exposure—and perfect practices there. Incomplete but high-quality coverage of critical systems beats low-quality SBOMs across everything.

Embrace manual processes initially if automation investment exceeds available budget. Manual generation for 5 products quarterly is sustainable; attempting it for 50 products monthly isn't. Scope your coverage to match available effort, plan automation only after proving value justifies investment.

Leverage open-source tools exclusively. Commercial SBOM platforms offer convenience but introduce licensing costs. Organizations constrained by budget can achieve Level 1 maturity entirely with open-source tools like Syft, CycloneDX CLI, and community scanning utilities. Accept the additional technical effort as the price of budget constraints.

Sustainability warning: Resource-constrained approaches work only when scoped appropriately. Attempting to deliver enterprise-scale SBOM programs with insufficient resources leads to burnout, quality deterioration, and program abandonment. Better to succeed with limited scope than fail attempting unrealistic coverage.

Resource-Rich Approach

Organizations with dedicated teams, allocated budgets, and executive mandates can pursue more ambitious implementations.

Opportunities with adequate resources: Invest in commercial platforms that abstract complexity and accelerate time-to-value. Tools like Dependency-Track, Sonatype, or vendor-specific solutions reduce implementation effort, provide enterprise support, and enable faster scaling. The upfront investment pays for itself through reduced ongoing manual effort.

Build comprehensive automation from the start. Rather than progressing through manual → hybrid → automated phases, jump directly to CI/CD integration and policy-driven workflows. This requires greater initial investment but achieves sustainable operations faster and avoids technical debt from transitional processes.

Pursue parallel workstreams across producer, consumer, and advanced capabilities. Dedicate separate teams to SBOM generation, supplier engagement, and integration with security tools simultaneously. This approach compresses timelines significantly but requires careful coordination to avoid duplication or conflicting practices.

Risk of over-engineering: Resource availability tempts over-investment in unnecessary sophistication. Organizations sometimes build custom SBOM platforms when existing tools would suffice, or pursue Level 2 maturity for rarely-released products where Level 1 would serve equally well. Resources enable ambition but don't mandate maximum complexity for all scenarios.

Regulatory Drivers vs Strategic Initiatives

Your motivation for SBOM implementation influences the appropriate starting path.

Compliance-Driven Implementation

Organizations implementing SBOMs primarily to meet regulatory requirements or contractual obligations face specific constraints and opportunities.

Compliance drivers establish firm deadlines. Unlike strategic initiatives where timing is flexible, regulatory compliance demands delivery by specific dates. This urgency shapes viable approaches—you can't spend 18 months building perfect automation when regulation mandates compliance in 6 months.

Compliance-focused strategy: Achieve minimum viable compliance quickly, plan operational excellence second. Target Level 1 maturity specifically, focusing on required fields and basic format compliance while accepting manual processes. Once compliant, invest in automation and quality improvement without deadline pressure.

Document everything. Regulatory compliance often requires audit evidence demonstrating your process, not just the artifacts produced. Establish and document procedures even for manual processes, creating evidence trails showing systematic rather than ad-hoc practices.

Timing approach: Work backward from deadline. If compliance required in 6 months, allocate 4 months for implementation and 2 months for buffer. If that timeline demands manual processes, accept them. Post-compliance, revisit with focus on sustainability and quality improvement.

Strategic Capability Building

Organizations viewing SBOM as strategic capability—enabling better security, supplier management, or competitive differentiation—have different priorities and flexibilities.

Strategic initiatives lack hard deadlines but require long-term sustainability. Building capability you'll maintain for years demands different choices than meeting one-time compliance. Invest in automation and quality from the start because the operational burden compounds over time.

Strategic approach: Prioritize sustainability over speed. Spend the time to implement proper automation, establish quality gates, and build organizational capability. A 12-month implementation timeline producing sustainable practices beats a 3-month rush delivering unsustainable manual processes that collapse under operational load.

Measure business outcomes, not just technical outputs. Track metrics like reduced incident response time, faster vulnerability remediation, or improved supplier risk assessment. These business-level indicators justify continued investment and demonstrate strategic value beyond compliance checkboxes.

Plan for evolution. Strategic capabilities must adapt as threats change, standards evolve, and business needs shift. Build systems and processes designed for modification rather than one-time implementation. Expect to refine practices continuously rather than treating SBOM as a project with defined completion.

Decision Framework

Use this framework to identify your recommended starting point:

If you're a software producer with modern CI/CD and facing compliance deadlines: → Start with Producer Workflows - Generate SBOMs (automated), target Level 1 initially, automate quality improvements after meeting deadline.

If you're managing enterprise software portfolio from multiple vendors: → Start with Consumer Workflows - Request from Suppliers, build Ingest and Store capability in parallel.

If you have legacy systems without automated builds: → Start with manual generation for critical systems, see Advanced Topics - Legacy Systems for specialized approaches.

If you're building strategic vulnerability management capability: → Develop consumer workflows first to leverage supplier SBOMs, then add producer capability to complete visibility.

If you're resource-constrained: → Limit scope to 3-5 critical products, accept manual processes, prove value before expanding.

If you have dedicated team and budget: → Pursue comprehensive automation targeting Level 2 maturity within 12 months across full portfolio.

Next Steps

After identifying your starting point:

Edit on GitHub

Maturity Levels

Understanding SBOM capability progression from basic compliance to operational excellence

Resource Planning

Realistic estimates for time, budget, skills, and infrastructure investment

On this page

Producer or Consumer First?Start as Producer WhenStart as Consumer WhenParallel DevelopmentGreenfield vs Legacy SystemsGreenfield Implementation PathLegacy System RealityResource Availability RealitiesResource-Constrained ApproachResource-Rich ApproachRegulatory Drivers vs Strategic InitiativesCompliance-Driven ImplementationStrategic Capability BuildingDecision FrameworkNext Steps