Who it affects: SBOM producers and consumers who need shared terminology and a consistent crosswalk between SBOM formats (CycloneDX/SPDX) for policy, tooling, and interoperability.
Need help with compliance? We can help you navigate your SBOM compliance journey.
Get in TouchOverview
The CISA Framing Software Component Transparency document provides conceptual definitions and serves as the normalization layer across SBOM formats. It defines “Baseline Attributes” and provides the authoritative crosswalk between CycloneDX and SPDX (including SPDX 3.0).
Key Terminology
The Framing document establishes shared terminology for SBOM discussions:
- Author - The source of the descriptive metadata (not the author of the software itself)
- Dependency - The relationship between two components, including types: static, dynamic, remote, provided, direct, transitive
Baseline Attributes
The Framing document defines baseline attributes that should be present in every SBOM. These align closely with the NTIA minimum elements but provide additional context and cross-format mappings.
Why This Document Matters
The Framing document is particularly useful as:
- The canonical source for schema field mappings - See our Schema Crosswalk
- A normalization layer - Enables consistent interpretation across CycloneDX and SPDX
- The reference for other frameworks - FDA and other guidance documents point to the Framing document for baseline attributes
Related Frameworks
- NTIA Minimum Elements - The original baseline guidance
- CISA 2025 Minimum Elements - Updated guidance
- Schema Crosswalk - CycloneDX and SPDX field mappings
Official Source
Disclaimer: This page represents our interpretation of the referenced frameworks and standards. While we strive for accuracy, we may have made errors or omissions. This content is provided for informational purposes only and does not constitute legal advice. For compliance decisions, consult the official source documents and seek qualified legal counsel.