This chapter discusses the origins of the SBOM concept, including early failures and successes and the U.S. federal and industry organizations who have contributed to its maturity. We'll also dive into some of the details of SBOM formats, specific fields, and the emergence of the Vulnerability Exploitability eXchange (VEX).

SBOM in Regulations: Failures and Successes

While there may be a flurry of SBOM momentum under way in the industry, it has been an effort over several years to get to this point, which has taken the involvement of a variety of government and industry organizations. Most notably, recent SBOM momentum occurred with the National Telecommunications and Information Administration (NTIA).

That said, while NTIA and events such as Log4j and SolarWinds may have played a critical role in recent momentum around SBOM, early events involving vulnerabilities associated with Apache Struts 2 and OpenSSLled to the introduction of legislation such as the Cyber Supply Chain Management and Transparency Act of 2014 (www.congress.gov/bill/113th-congress/house-bill/5793/text).

The bill focuses on the integrity of software, firmware, and products developed for or purchased by the U.S. Government that use third-party and OSS code and calls for a component list, or bill of materials, to be in software, firmware, or product contracts for the Federal Government. One early pioneer who was heavily involved in this effort is industry leader ...