The Cybersecurity and Infrastructure Security Agency has issued guidance for creating the build for a software bill of materials for products that were assembled and tested prior to delivery.
CISA said Friday the document, titled “Guidance on Assembling a Group of Products,” aims to guide software manufacturers and integrators in developing the build SBOM for assembled products that may contain parts that experience version changes.
According to the document, certain information is required when describing a product line with a build SBOM, including an identifier, a versioning system to use with the identifier, a list of product components being distributed together as a group and a version number for each component.
The guidance was developed by the Software Bill of Materials Tooling & Implementation Working Group, a community-led working group facilitated by CISA.