Over the past 12-18 months, there’s been a significant evolution in how organizations use SBOMs (software bill of materials). Companies have started to shift from a narrow focus on SBOM generation to a broader program that also prioritizes ingesting and analyzing SBOMs from suppliers and internal teams.

This change has been largely driven by regulatory compliance — fulfilling SBOM compliance requirements often means combining multiple SBOMs from multiple teams and suppliers — but also software supply chain security supply. Continuous SBOM monitoring is a valuable tool in fast vulnerability response. 

The increased focus on ingesting SBOMs has also put a premium on the importance of enforcing SBOM standards across teams and supplier networks. SBOM regulations have very detailed requirements that cover data fields and file formats, and organizations risk facing compliance threats if their SBOMs don’t check the right boxes.

That’s where FOSSA’s new SBOM policy feature comes in. Now, users can enforce SBOM standards across both external supplier networks and internal teams to ensure their ingested SBOMs meet requirements for data fields and file formats. If they don’t, FOSSA can highlight inaccurate or missing fields and enrich the SBOM to make it compliant.

Using FOSSA’s SBOM Policy Feature

There are three primary elements to FOSSA’s SBOM policy feature. We’ll explore each below. Note that SBOM policies are currently available only in paid FOSSA tiers, not our free tier.

  1. Set SBOM Policies

Get started by adding your SBOM policies to FOSSA. Your policies will determine the elements (data fields and file formats) of an ingested SBOM that must be present for that SBOM to be considered policy-compliant. 

You’ll have the option to create as many different SBOM policies as you’d like to ensure you most effectively address your intended use case(s). Note that you can also choose to activate FOSSA’s pre-built SBOM policy to ensure compliance with NTIA and FDA SBOM requirements

Setting up SBOM policies in FOSSA

SBOM policies are applied at the project level; you can select any policy to apply to a project. We also offer organization-level defaults that can be used to configure the default SBOM policy for any project. Here’s how these options work: 

  • Organization level: Navigate to “Policies” in the header of the FOSSA application, then select “SBOM” in the “Policy Type” dropdown.
  • Project level: Select the “Settings” option toward the top of the page of any project in FOSSA, then click on “Policies” in the menu on the left side of the page. Scroll down to the SBOM section and choose your preferred policy.  

Note that regardless of where you apply policies or which policy you select, you must check the “Enable SBOM Policy” box for the feature to take effect.

  1. Import and Analyze 

Once you’ve published and enabled SBOM policies, an analysis will be triggered each time you import an SBOM. You’ll be able to review results via the Analysis section on the project summary page (or by navigating to any SBOM import).

Each analysis will result in a pass, fail, or neutral result as follows:

  • Pass (denoted by a green check): All attributes meet the criteria defined in the SBOM policy
  • Fail (denoted by a red X): One or more attributes in the SBOM are in violation of the SBOM policy
  • Neutral (denoted by a gray hyphen): Attribute is not required by the SBOM policy
Analysis of SBOM results in FOSSA
  1. Enrich

If your imported SBOM(s) has missing attributes — but valid PURLs (Package URLs) — FOSSA can enrich your SBOM data with a straightforward file export workflow. Click Reports -> SBOM, select all elements you want to be part of your SBOM, and export the report. This will reduce the required back-and-forth between SBOM program managers, external suppliers, and internal teams.

Benefits of FOSSA’s SBOM Policy Feature

FOSSA SBOM policy enforcement and enrichment supports several important use cases.

Regulatory Compliance

Organizations can use this feature to check the SBOMs they get from software suppliers and internal teams for compliance with regulatory requirements. (And to enrich imported SBOMs that are missing mandatory fields.) Ensuring ingested SBOMs include all necessary data and are in the necessary file format goes a long way toward simplifying delivery of the final, application- or device-level SBOM.

Vendor Risk Management

As organizations start to require software suppliers to produce SBOMs, enforcing policies is a logical next step. The ability to standardize data fields and formats from across your supplier ecosystem makes continuous monitoring of all supplier ecosystem SBOMs far more effective. It also allows for a faster response to vulnerabilities.

SBOM Quality Analysis 

One of the complicating factors in the evolution from SBOM generation to comprehensive SBOM management (including ingestion) is that it can be hard to understand SBOM quality. An SBOM needs to be comprehensive and accurate for the end-user to gain maximum value. FOSSA’s SBOM Policy feature enables users to understand if the SBOM import results are high quality due to user error, which can be the catalyst for conversations with SBOM producers. 

Customer Requests

A growing number of organizations, especially in regulated industries, are requesting application-level SBOMs as a condition of doing business. Businesses with large development organizations may find it challenging to fulfill these requirements without a way to standardize and combine SBOMs. FOSSA’s SBOM policies make it much easier to ensure all internal teams provide SBOMs with consistent and standardized elements. 

Learn More About FOSSA’s SBOM Policies

For more information about FOSSA’s SBOM Policies, we recommend the following next steps: