STP
SBOM Observer/

Maturity Progression

Roadmaps for advancing from basic to advanced SBOM capabilities

SBOM maturity isn't binary—organizations exist on spectrum from "just started generating basic SBOMs" to "comprehensive automated transparency with integrated VEX, continuous monitoring, and embedded security workflows." Progression happens incrementally through deliberate capability building, not overnight transformation. Understanding maturity levels and realistic progression timelines prevents frustration from unrealistic expectations while providing roadmap toward operational excellence.

Organizations implementing SBOMs face choice: attempt comprehensive solution immediately (high cost, long timeline, significant risk) or start basic and progressively enhance (lower initial investment, faster time-to-value, learning-driven improvement). Progressive maturity approach balances ambition with pragmatism, delivering incremental value while building toward sophisticated long-term capabilities.

Maturity Level Definitions

Level 1: Basic Implementation

Characteristics: Organizations at Level 1 can generate and share SBOMs meeting minimum compliance requirements. Generation may be partially manual. Formats conform to standards but metadata completeness varies. Distribution is functional but not automated. VEX capability is limited or absent.

Typical capabilities:

  • SBOM generation for primary products using standard tools
  • Manual enrichment and quality checking
  • Schema-valid output (CycloneDX or SPDX)
  • Basic distribution mechanisms (email, download portal)
  • Reactive vulnerability assessment when issues arise
  • Limited transitive dependency enumeration
  • Point-in-time SBOM snapshots without systematic updates

Operational characteristics:

  • Process documented in runbooks
  • Small team (1-3 people) managing SBOM activities
  • Monthly or quarterly SBOM generation cycles
  • Manual coordination between teams
  • Basic tooling (open source SBOM generators)
  • Ad-hoc quality validation

Typical timeline: 3-6 months from program initiation to operational Level 1 capability.

Investment: €30,000-60,000 first year (tooling, training, initial implementation effort). Primarily labor costs—Level 1 can leverage free/open-source tools.

Value delivered:

  • Regulatory compliance (NIS2, CRA, federal procurement)
  • Customer transparency requirements satisfied
  • Foundation for vulnerability management improvements
  • Procurement leverage with suppliers
  • License compliance visibility

Limitations:

  • Significant manual effort—doesn't scale to hundreds of products
  • SBOM freshness concerns—updates lag software changes
  • Limited VEX capability means vulnerability communication is reactive
  • Manual processes prone to human error and inconsistency
  • Difficult to maintain with personnel changes

Level 2: Advanced Implementation

Characteristics: Organizations at Level 2 have automated, comprehensive SBOM programs integrated into development and security workflows. Generation is automated in CI/CD pipelines. Metadata is rich and consistent. Distribution is automated with multiple channels. VEX documents are published systematically. Continuous monitoring enables proactive risk management.

Typical capabilities:

  • Automated SBOM generation in every build
  • Comprehensive transitive dependency enumeration
  • Rich metadata (hashes, provenance, licenses, supplier details)
  • Automated validation and quality gates
  • Cryptographic signing and attestation
  • Multi-channel automated distribution (API, webhooks, portals)
  • Systematic VEX publication for vulnerabilities
  • SBOM repository with API access and query capabilities
  • Integration with vulnerability scanners and security tools
  • Continuous component health monitoring
  • Metrics and dashboarding

Operational characteristics:

  • Embedded in development workflows (developers don't manually intervene)
  • Cross-functional team (security, development, legal, procurement)
  • Real-time or near-real-time SBOM updates aligned with releases
  • Automated coordination and notifications
  • Enterprise-grade tooling (commercial platforms or sophisticated open source infrastructure)
  • Continuous automated validation and monitoring

Typical timeline: 12-18 months from Level 1 to operational Level 2 capability.

Investment: €80,000-150,000 additional investment beyond Level 1 (automation infrastructure, advanced tooling, expanded team, training, integration effort).

Value delivered:

  • Operational efficiency through automation—scales to hundreds of products
  • Faster vulnerability response (hours instead of days)
  • Proactive risk management through continuous monitoring
  • Improved supplier management through systematic assessment
  • Lower operational costs long-term despite higher upfront investment
  • Competitive differentiation through security maturity
  • Foundation for zero-trust, supply chain security frameworks

Limitations:

  • Significant initial investment and implementation complexity
  • Requires organizational commitment across multiple teams
  • Cultural change management beyond technical implementation
  • Ongoing maintenance and evolution as ecosystem changes

Progression Roadmap

Phase 1: Foundation Building (Months 0-3)

Objective: Establish minimum viable SBOM capability for pilot products.

Activities:

Month 1: Planning and tool selection

  • Define scope (which products, which use cases)
  • Select SBOM formats (CycloneDX recommended for operational focus)
  • Choose generation tools for technology stacks
  • Identify pilot products (3-5 products representing technology diversity)
  • Secure executive sponsorship and budget
  • Form cross-functional working group

Month 2: Pilot implementation

  • Install and configure SBOM generation tools
  • Generate first SBOMs for pilot products
  • Validate schema compliance and basic quality
  • Document generation procedures
  • Train pilot team members
  • Establish SBOM storage location (file system or basic repository)

Month 3: Initial distribution

  • Develop distribution workflow (manual upload to portal or email-based)
  • Create customer-facing documentation explaining SBOMs
  • Generate SBOMs for pilot product releases
  • Collect feedback from internal stakeholders and early customers
  • Refine processes based on learnings

Success criteria:

  • 3-5 pilot products with validated SBOMs
  • Documented, repeatable generation process
  • At least one customer successfully received and used SBOM
  • Team trained and comfortable with basic workflows

Investment: €15,000-25,000 (primarily internal labor, minimal tooling costs).

Phase 2: Expansion and Standardization (Months 4-9)

Objective: Expand SBOM coverage across product portfolio, standardize processes, improve quality.

Activities:

Months 4-6: Scaled rollout

  • Expand to next 20-30 products beyond pilots
  • Develop product-specific generation configurations
  • Standardize metadata inclusion (licenses, PURLs, hashes)
  • Establish quality benchmarks (completeness scores, validation gates)
  • Implement schema validation in generation workflow
  • Create quarterly SBOM update cadence

Months 7-9: Quality and enrichment

  • Enhance SBOMs with provenance metadata
  • Implement cryptographic signing
  • Develop supplier SBOM request templates and workflows
  • Begin collecting SBOMs from critical vendors
  • Integrate basic vulnerability scanning using SBOM data
  • Establish metrics tracking (coverage %, quality scores, customer feedback)

Success criteria:

  • 30-50 products with quality SBOMs (completeness score above 70)
  • Standardized generation across technology stacks
  • 80%+ of SBOMs signed and validated
  • First supplier SBOMs received and ingested
  • Vulnerability scanning beginning to leverage SBOM data

Investment: €20,000-40,000 (expanding team capacity, potential commercial tool licenses, supplier engagement effort).

Phase 3: Automation Foundation (Months 10-15)

Objective: Automate generation, validation, and distribution. Build CI/CD integration.

Activities:

Months 10-12: CI/CD integration

  • Integrate SBOM generation into build pipelines
  • Automate validation gates (builds fail if SBOM invalid)
  • Implement automated signing workflows
  • Configure automatic SBOM publication to repository
  • Establish webhook notifications for SBOM updates
  • Remove manual generation steps where possible

Months 13-15: Repository and API infrastructure

  • Deploy SBOM repository system (Dependency-Track or custom solution)
  • Implement API for SBOM query and retrieval
  • Configure automated ingestion of vendor SBOMs
  • Build integration with vulnerability management platforms
  • Develop initial VEX publication workflow
  • Implement metrics dashboarding

Success criteria:

  • 60%+ of products with fully automated SBOM generation
  • CI/CD pipelines block releases with invalid/incomplete SBOMs
  • SBOM repository operational with API access
  • Vulnerability scanner consuming SBOM data automatically
  • First VEX documents published

Investment: €40,000-70,000 (automation infrastructure, repository deployment, integration development, potentially commercial vulnerability management platform).

Phase 4: Advanced Capabilities (Months 16-24)

Objective: Achieve Level 2 maturity with comprehensive automation, monitoring, and integration.

Activities:

Months 16-18: Comprehensive integration

  • Integrate SBOMs with asset management (CMDB)
  • Connect SBOM data to SIEM for security correlation
  • Implement continuous component health monitoring
  • Automate supplier SBOM quality assessment
  • Develop automated remediation ticketing from SBOM analysis
  • Expand VEX publication to systematic workflow

Months 19-21: Operational excellence

  • Implement real-time SBOM updates (not just on releases)
  • Build advanced analytics (trend analysis, risk scoring, supplier comparison)
  • Develop executive dashboards and reporting
  • Establish SLAs for SBOM freshness and VEX publication
  • Train additional teams on advanced capabilities
  • Document end-to-end automated workflows

Months 22-24: Continuous improvement

  • Conduct retrospective on maturity progression
  • Identify remaining gaps and enhancement opportunities
  • Optimize workflows based on operational experience
  • Expand supplier engagement program
  • Refine quality standards based on lessons learned
  • Plan for emerging capabilities (AI-assisted analysis, blockchain attestation, etc.)

Success criteria:

  • 90%+ of products with automated, high-quality SBOMs
  • VEX documents published within 48 hours of vulnerability disclosure
  • Vulnerability response time reduced by 60%+
  • Comprehensive supplier SBOM collection (70%+ critical vendors)
  • Operational metrics demonstrating program value
  • Sustainable, scalable processes requiring minimal manual intervention

Investment: €40,000-80,000 (advanced tooling, expanded team, comprehensive integration development).

Technology Stack Evolution

Level 1 Technology

SBOM generation:

  • Language-specific open source tools (CycloneDX npm plugin, Maven plugin, Python module)
  • Manual execution or simple scripts
  • Per-product configuration files

Storage:

  • File system or SharePoint
  • Manual organization and versioning

Distribution:

  • Email attachments
  • Manual upload to download portal
  • Customer-requested delivery

Validation:

  • Command-line schema validators
  • Manual quality checking
  • Spreadsheet-based tracking

Total tooling cost: €0-5,000 (primarily open source, minimal infrastructure).

Level 2 Technology

SBOM generation:

  • Integrated CI/CD pipelines (GitHub Actions, GitLab CI, Jenkins)
  • Automated execution on every commit/build
  • Centralized configuration management
  • Multiple format support (CycloneDX, SPDX)

Storage:

  • Dedicated SBOM repository (Dependency-Track, SBOM Observer, custom platform)
  • Database-backed with full-text search
  • Version control and audit trails
  • API-first architecture

Distribution:

  • Multi-channel automated publication (API, webhooks, RSS feeds)
  • Customer portal integration
  • Container registry integration (OCI artifacts)
  • Automated notification systems

Validation:

  • Automated pipeline validation gates
  • Continuous quality monitoring
  • Completeness scoring
  • Accuracy verification through runtime comparison

Analysis and monitoring:

  • Vulnerability management platform (Dependency-Track, Snyk, commercial alternatives)
  • Component health monitoring dashboards
  • Supplier risk assessment tools
  • Executive reporting and analytics

Total tooling cost: €20,000-100,000 annually (combination of commercial platform licenses, infrastructure hosting, development tool subscriptions).

Organizational Changes Through Progression

Level 1 Organization

Team structure:

  • Small dedicated team (1-3 people), typically in security organization
  • Ad-hoc involvement from development teams when needed
  • Limited cross-functional coordination

Processes:

  • Documented procedures in wiki or runbook
  • Manual checklists for generation and distribution
  • Quarterly or release-triggered SBOM updates

Culture:

  • SBOM seen as compliance requirement
  • Developers minimally involved
  • Security team owns and drives

Challenges:

  • Scaling limitations
  • Knowledge concentration risk
  • Manual process sustainability concerns

Level 2 Organization

Team structure:

  • Cross-functional SBOM team (security, development, legal, procurement, product management)
  • Embedded SBOM responsibilities in development teams
  • Dedicated program manager for SBOM initiative
  • Executive sponsor actively engaged

Processes:

  • Automated workflows integrated into development lifecycle
  • Continuous rather than episodic activities
  • Clear SLAs and accountability

Culture:

  • SBOM seen as operational capability, not compliance burden
  • Developers understand value and participate willingly
  • Organization-wide transparency commitment
  • Security-as-code mindset

Benefits:

  • Scales to hundreds of products
  • Resilient to personnel changes
  • Continuous value delivery

Measuring Progression Success

Track metrics demonstrating maturity advancement:

Coverage metrics:

  • Level 1 target: 20-30 products with SBOMs
  • Level 2 target: 90%+ of products with SBOMs

Automation metrics:

  • Level 1: Manual or semi-automated generation
  • Level 2: 90%+ fully automated generation

Quality metrics:

  • Level 1: 60-70% average completeness score
  • Level 2: 85%+ average completeness score

Response time:

  • Level 1: 2-5 days from vulnerability disclosure to impact assessment
  • Level 2: 2-8 hours from vulnerability disclosure to impact assessment

Cost efficiency:

  • Level 1: €500-1,000 per product per year (manual effort)
  • Level 2: €100-300 per product per year (automation efficiency despite higher infrastructure costs)

Organizational adoption:

  • Level 1: Security team awareness and usage
  • Level 2: Development, security, legal, procurement, executive awareness and usage

Common Progression Pitfalls

Pitfall: Attempting Level 2 immediately without Level 1 foundation Trying to build comprehensive automated solution without understanding through basic implementation. Results in over-engineered solutions that don't match actual needs.

Prevention: Accept Level 1 as valuable learning phase. Build Level 2 based on operational experience, not theoretical requirements.

Pitfall: Stalling at Level 1 indefinitely Successfully implementing basic capability but never investing in automation and advancement. Manual processes become unsustainable as product portfolio grows.

Prevention: Time-box Level 1 phase. After 6 months at Level 1, explicitly decide: advance to Level 2 or accept that SBOM program will remain small-scale.

Pitfall: Underestimating organizational change required Focusing on technical implementation while ignoring need for cross-functional buy-in, process changes, cultural shifts.

Prevention: Invest in change management, stakeholder engagement, and communication throughout progression. Technical capability without organizational adoption delivers limited value.

Pitfall: Losing momentum between phases Completing pilot successfully but letting months pass before next phase. Team disperses, executive attention fades, program stalls.

Prevention: Maintain momentum through continuous progression. Complete Phase 1, celebrate, immediately begin Phase 2. Don't allow significant gaps between phases.

Next Steps

Edit on GitHub

Component Health Monitoring

Tracking component sustainability, maintenance activity, and long-term viability

Automation Strategies

Approaches for automating SBOM generation, validation, distribution, and VEX publication

On this page

Maturity Level DefinitionsLevel 1: Basic ImplementationLevel 2: Advanced ImplementationProgression RoadmapPhase 1: Foundation Building (Months 0-3)Phase 2: Expansion and Standardization (Months 4-9)Phase 3: Automation Foundation (Months 10-15)Phase 4: Advanced Capabilities (Months 16-24)Technology Stack EvolutionLevel 1 TechnologyLevel 2 TechnologyOrganizational Changes Through ProgressionLevel 1 OrganizationLevel 2 OrganizationMeasuring Progression SuccessCommon Progression PitfallsNext Steps