sbomify logo

CISA SBOM Sharing Lifecycle Report (2023)

Guide to the CISA SBOM Sharing Lifecycle Report, covering discovery, access, and transport patterns for SBOM distribution across supply chains.

← Back to Compliance Overview

Who it affects: Organizations that distribute or retrieve SBOMs across supply chains (vendors, buyers, operators) that need practical patterns for discovery, access, and transport.

Need help with compliance? We can help you navigate your SBOM compliance journey.

Get in Touch

Overview

The CISA SBOM Sharing Lifecycle Report focuses on operational aspects of SBOM distribution rather than adding new data fields. It defines the SBOM sharing lifecycle as three phases: Discovery (locating SBOMs), Access (authorization and retrieval), and Transport (delivery mechanisms).

This report does not prescribe additional SBOM properties but provides guidance on infrastructure and processes needed for effective SBOM sharing across the supply chain.

The Three Phases

1. Discovery

How do consumers find out that an SBOM exists and where to get it?

  • Discoverability mechanisms for locating SBOMs
  • Metadata and pointers that indicate SBOM availability

2. Access

Who is allowed to retrieve the SBOM and how is authorization managed?

  • Authorization and access control patterns
  • Public vs. private SBOM distribution models
  • Role-based access considerations

3. Transport

How are SBOMs physically delivered from producer to consumer?

  • Repository portals and package registries
  • APIs for SBOM retrieval
  • Out-of-band delivery mechanisms (email, secure file transfer)
  • Enrichment workflows where downstream consumers add information and re-share

Key Concepts

  • Discoverability mechanisms for locating SBOMs
  • Authorization and access control patterns for managing who can retrieve SBOMs
  • Transport protocols and sharing patterns (repository portals, APIs, out-of-band delivery)
  • Enrichment workflows where downstream consumers add information and re-share

Practical Applications

This report is valuable for:

  • Organizations setting up SBOM distribution infrastructure
  • Procurement teams defining SBOM delivery requirements in contracts
  • Security teams designing SBOM ingestion workflows

Official Source

Disclaimer: This page represents our interpretation of the referenced frameworks and standards. While we strive for accuracy, we may have made errors or omissions. This content is provided for informational purposes only and does not constitute legal advice. For compliance decisions, consult the official source documents and seek qualified legal counsel.

← Back to Compliance Overview