Roles and Benefits for SBOM Across the Supply Chain
NTIA Multistakeholder Process on Software Component Transparency
Use Cases and State of Practice Working Group
Introduction 2
The Software Supply Chain 4
About this document: Goals and Methodology 4
Perspective: Produce Software 5
Reduce unplanned, unscheduled work 6
Reduce code bloat 7
Adequately understand dependencies within broader complex projects 7
Know and comply with the license obligations 7
Monitor components for vulnerabilities 7
End-of-life (EOL) 8
Make code easier to review 8
A blacklist of banned components 8
Provide an SBOM to a customer 8
Perspective: Choose Software 9
Identify potentially vulnerable components 9
A more targeted security analysis 10
Verify the sourcing 10
Compliance with policies 10
Aware of end-of-life components 10
Verify some claims 10
Understand the software’s integration 10
Pre-purchase and pre-installation planning 11
Market signal 11
Perspective: Operate Software 12
Organization can quickly evaluate whether it is using the component 12
Drive independent mitigations 13
Make more informed risk-based decisions 13
Alerts about potential end-of-life 13
Better support compliance and reporting requirements 13
Reduce costs through a more streamlined and efficient administration 13
Ecosystem, Network Effects, and Public Health Benefits of SBOM 14
Accelerated Vulnerability Management 15
