CISA SBOM Workstream Tracker

This is primarily an index for active Google docs used by the various CISA SBOM workstreams (or working groups).

On-Ramps and Adoption

Standing documents

Under development

SBOM FAQ Document

Tooling and Implementation

Standing documents

Under development

SBOM Terms and Definitions

Published documents

Types of Software Bill of Materials (SBOM) (April 2023)

Sharing and Exchanging

Standing documents

Under development

SBOM Sharing-Related Efforts

Cloud and Online Applications

There are three subsidiary cloud working groups:

SBOM classic
Cloud stack transparency
Service transparency

Standing documents

Under development

SBOM Cloud Use Cases

Vulnerability Exploitability eXchange (VEX)

The concept of VEX grew out of SBOM, but VEX is not strictly part of or necessary for SBOM.

Participation

Weekly meetings on Mondays 1000-1100 EDT. The VEX WG is also piloting a mailing list. To subscribe, send mail to ${group_name}+subscribe@googlegroups.com. You can also subscribe and access the list on the web using a Google account. The name of the list is cisa-sbom-vex.

Standing documents

Under development

When to issue a VEX

Published documents

Vulnerability-Exploitability eXchange (VEX) – An Overview (September 2021)

Vulnerability Exploitability eXchange (VEX) – Use Cases (April 2022)

Vulnerability Exploitability eXchange (VEX) - Status Justifications (June 2022)

Minimum Requirements for Vulnerability Exploitability eXchange (VEX) (April 2023)