SBOM Observer/Scale SBOM

Explorer Guide

Figure out where to start with SBOMs, VEX, and VDR based on your situation

This page helps you figure out where to start. Whether a customer asked for an SBOM, a regulation requires one, or the organisation wants better visibility into its software supply chain, the framework has a path for each situation.

Why this is on your radar

Most organisations arrive here through one of these paths:

  • A customer or partner requested transparency artifacts. Downstream buyers require SBOMs as part of procurement, sometimes with specific format and content expectations.
  • Regulatory requirements. The EU Cyber Resilience Act (CRA) and NIS2 directive mandate software transparency for products sold in or operated within the EU. US executive orders and CISA guidance set similar expectations.
  • Supply chain visibility. Security teams want to know what runs in their environment so they can assess exposure when new vulnerabilities are disclosed.
  • Incident response readiness. An SBOM lets the affected organisation map a newly disclosed CVE to every product that includes the vulnerable component.

How the framework is organized

The framework has three parts:

  • Content Requirements specify what information belongs in each artifact: which fields, identifiers, and structures make a document actionable.
  • The Operational Model covers how to produce and consume those artifacts in practice: CI/CD integration, delivery workflows, vulnerability response.
  • A Maturity Assessment tool scores current practices and maps gaps to specific framework sections.

Find your starting point

A customer asked for an SBOM. The organisation needs to generate SBOMs that meet the customer's expectations and deliver them alongside the product. Start with the Producer Guide, which covers content expectations and delivery workflows.

Regulatory compliance is driving the initiative. CRA, NIS2, or sector-specific regulation requires the organisation to provide or process transparency artifacts. The Producer Guide covers generation and delivery. Content Requirements detail the data quality bar these regulations expect.

The goal is evaluating what suppliers ship. Procurement or security teams want to request and act on SBOMs from third-party vendors. The Consumer Guide covers how to interpret and use supplier transparency data.

Not sure what the organisation needs yet. Getting Started helps identify the right role and maturity level. Organisations that already have some SBOM practices can use the Maturity Assessment to benchmark current state and find relevant sections in the Scale SBOM framework.

Producer, consumer, or both

Producers build and ship software. They generate SBOMs, issue VEX documents, and deliver these artifacts to customers as part of the release process.

Consumers procure and operate software they did not build. They request SBOMs from suppliers, validate content quality, and use component data for vulnerability management and compliance.

Many organisations are both. Pick the role that matches the immediate need and follow that guide first. The Getting Started page covers role identification and maturity levels in more detail.

Producer Guide

Generate and deliver SBOM, VEX, and VDR artifacts as part of your build and release process.

Consumer Guide

Request, interpret, and act on transparency artifacts for risk and compliance.

Edit on GitHub

Consumer Guide

Orientation for organisations that procure and operate software and need visibility into what they run

Maturity Assessment

Next Page

On this page

Why this is on your radarHow the framework is organizedFind your starting pointProducer, consumer, or both