[CDP-development] CISA Releases Guidance on Types of SBOM and Using VEX

Masse, Theresa theresa.masse at cisa.dhs.gov
Fri Apr 21 08:39:34 PDT 2023 

FYSA



Today, the Cybersecurity and Infrastructure Security Agency (CISA) released the Minimum Requirements for Vulnerability Exploitability eXchange<https://www.cisa.gov/resources-tools/resources/minimum-requirements-vulnerability-exploitability-exchange-vex> (VEX) and Types of Software Bill of Materials<https://www.cisa.gov/resources-tools/resources/types-software-bill-materials-sbom> (SBOM) documents. Led by CISA, both publications were debated and drafted by a community of industry and government experts with the goal to offer some common guidance and structure for the large and growing global SBOM community.



The Types of SBOM document summarizes common types of SBOMs that tools may create in the industry today, along with the data typically presented for each type of SBOM. As software goes from planning to source to build to deployed and used, tools may be able to detect subtle differences in the underlying components. These types will allow for better differentiation of tools and in the broader marketplace.



The Minimum Requirements for VEX document specifies the minimum elements to create a VEX document. This will allow interoperability between different implementations and data formats of VEX. It will also help promote integration of VEX into novel and existing security tools. This document also specifies some optional VEX elements.



This process to debate and draft these documents underscore the value CISA places on bringing together the private and public sector to develop timely resources that can help improve the cybersecurity marketplace.



Visit the SBOM webpage<https://www.cisa.gov/sbom> for information on CISA's work on this issue.



Theresa A. Masse
Cybersecurity State Coordinator/Advisor, Region 10 (Oregon)
Cybersecurity and Infrastructure Security Agency
Department of Homeland Security
Phone: (503) 930-5671
Email: theresa.masse at cisa.dhs.gov<mailto:theresa.masse at cisa.dhs.gov>

[cid:image001.png at 01D9742C.BCCAF160]




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20230421/e3fc176a/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 16152 bytes
Desc: image001.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20230421/e3fc176a/attachment-0001.png>

More information about the CDP-development mailing list