CISA SBOM Workstream Tracker

This is primarily an index for active Google docs used by the various CISA SBOM workstreams (or working groups).

On-Ramps and Adoption

Standing documents

Under development

SBOM FAQ Document

Tooling and Implementation

Standing documents

Under development

SBOM Terms and Definitions

Published documents

Types of Software Bill of Materials (SBOM) (April 2023)

Sharing and Exchanging

Standing documents

Under development

SBOM Sharing-Related Efforts

Cloud and Online Applications

There are three subsidiary cloud working groups:

SBOM classic
Cloud stack transparency
Service transparency

Standing documents

Under development

SBOM Cloud Use Cases

Vulnerability Exploitability eXchange (VEX)

The concept of VEX grew out of SBOM, but VEX is not strictly part of or necessary for SBOM.

Participation

Weekly meetings on Mondays 1000-1100 ET. To subscribe to the cisa-sbom-vex mailing list, send mail to cisa-sbom-vex+subscribe@googlegroups.com. You can also subscribe and access the list on the web using a Google account.

Standing documents

Under development

VEX Practices Review

Published documents

Vulnerability-Exploitability eXchange (VEX) – An Overview (NTIA, September 2021)

Vulnerability Exploitability eXchange (VEX) – Use Cases (April 2022)

Vulnerability Exploitability eXchange (VEX) - Status Justifications (June 2022)

Minimum Requirements for Vulnerability Exploitability eXchange (VEX) (April 2023)

When to Issue VEX Information (November 2023)