In advance to the details definitions on terminology are provided.
An Asset is concept or unit of value. Here, either a Software or Hardware Asset. Assets may also be documents or data sets; content in general.
A Bill of Materials is listing details of an asset in a human- or machine-readable fashion. BOMs can contain hierarchy or relationship information.
The supplier is a person or legal entity that produces a Software or Hardware Asset. The supplier is the originator, creator, or manufacturer of an Asset.
A distributor may distribute Software and Hardware Assets. The Software and Hardware Assets are not modified as such and distributed "AS IS".
A vendor is a supplier or distributor that acts in a commercial context / relationship with a consumer of an Asset.
A Software Asset is an Asset consisting of Software. Software Assets are for example:
- Software archives for distribution
- Software Container Images
- Virtual Machine Images
Substructures or details of a Software Asset are Software Artifacts or just Artifacts.
Software Components group Software Artifacts into a logical unit. Often these artifacts have consistent characteristics.
A human- or machine-readable BOM lists Software Artifacts providing details on one or more Software Assets.
A Hardware Asset is an Asset consisting of Hardware. Hardware assets are for example:
- Devices (stationary devices and equipment, mobile devices, robots)
- Server appliances
A Hardware Asset may require software to operate (microcontroller programs, FPGA programs, operating systems and other software components).
Physical units of hardware. An Hardware Asset may consist of one or more Hardware Units.
Details of Hardware Unit are Hardware Parts or just Parts.
A human- or machine-readable BOM lists Hardware Parts detailing on one or more Hardware Assets. An HBOM consists primarily of all Hardware Parts required to build a complete and shippable product. In addition, the HBOM may also refer to software and service information to refer to additional information.
Background: The term Manufacturing Bill of Materials (MBOM) is defined in early ANSI/ISA-95 (IEC 62264-1 Models and Terminology). Recently the term Hardware Bill of Materials (HBOM) is used more commonly. See also CISA - A HBOM Framework for Supply Chain Risk Management.
To outline SBOM essentials the different use cases around SBOMs are inspected.
- Creating an SBOM from Software Assets
- Creating Software Documentation based on an SBOM
- Monitoring Vulnerabilities using an SBOM
- Reporting Vulnerabilities using an SBOM
- Scanning Software based on an SBOM
The following projects define SBOM data models and format definition:
HBOM creation can usually not be automated. HBOMs - in the best case - can be exported from hardware or mechanical design tools.
Based on an HBOM the following use cases are anticipated:
- Linking the HBOM to SBOMs. Specifically with respect to software placed on the hardware (firmware, loadable application code)
- Monitoring Vulnerabilities of Hardware and in correlation with Software.
Background: Some vulnerabilities only surface in combination with hardware. E.g., a specific hardware running a specific software configuration.
To organize software and hardware uniformly the metaeffekt tools use the following scheme:
| Level | Description | Software | Hardware |
|---|---|---|---|
| Asset | Asset of value. Assets are distributed and contractually agreed. | Software Asset | Hardware Asset |
| Component | Groups of Artifacts may form a Component. A Component can also be represented by a single Artifact. | Software Component | Hardware Unit / Hardware Component |
| Artifact | Identifiable representation / part of a Component. See ArtifactType. | Software Artifact (Archives, Packages, Files, Snippets) | Hardware Part |
Further aspects apply:
- For Vulnerability Monitoring it is essential to choose the appropriate granularity of both hardware and software and to model their relationship.
- Some Components may even represent individual Assets as required on lifecycle / contract level.
- ISO/IEC 19770-1:2025 – IT Asset Management (ITAM)
- ISO/IEC 5230:2020 – OpenChain; Standard für Open Source Compliance
- ISO/IEC 5692:2021 – System Package Data Exchange (SPDX)
- ECMA-424 – CycloneDX Bill of Materials (CycloneDX BOM)
- ISO/IEC 27001:2022 – Information Security Management System (ISMS)
- ISA/IEC 62443 – Industrial Automation Control System (IACS)
- BSI IT-Grundschutz Kompendium
- BSI TR-03183-2 – Cyber Resilience Requirement / SBOM
- Executive Order 14028 – Improving the Nation's Cybersecurity
- NTIA The Minimum Elements For a Software Bill of Materials (SBOM)
- EVB-IT Basisverträge und Standardverträge
- Open CoDE SPDX Conformance
- EU Cyber Resilience Act (CRA)
- Awesome SBOM - Collection of various resources around SBOMs.
- CISA - A Hardware Bill of Materials (HBOM) for Supply Chain Risk Management - HBOM-centric framework.
Creative Commons Attribute-NoDerivatives 4.0 International
- Copyright (c) 2022-2024 Karsten Klein, metaeffekt GmbH
- Copyright (c) 2022 Thomas Schulte, metaeffekt GmbH