Skip to main content

Software Bill of Materials (SBOM) in Your Technical Documentation

The Software Bill of Materials, or SBOM, is a critical component of your vulnerability management process under the Cyber Resilience Act (CRA). Consequently, it's a key part of your Technical Documentation.

The SBOM Requirement

Annex I, Part II, point (1), requires manufacturers to "identify and document... components contained in products with digital elements, including by drawing up a software bill of materials".

Annex VII, which details the contents of the Technical Documentation, then specifies that information on vulnerability handling processes must include the SBOM (Annex VII, point 2b).

Role of the SBOM in Your Documentation

For your app, game, or software library, the SBOM acts as a detailed inventory. It's a formal record of all the software components and libraries you've used to build your product, including open-source and commercial dependencies. Think of it as the list of ingredients for your software.

Including the SBOM in your Technical Documentation serves several purposes:

  • Demonstrates Due Diligence: It shows authorities that you have a clear understanding of your own software supply chain, a key aspect of modern vulnerability management.
  • Supports Vulnerability Management: It is the foundation for your process of tracking vulnerabilities in third-party components. When a new vulnerability is announced, you check it against your SBOM.
  • Enables Oversight: Annex VII, point 8, adds that authorities can make a reasoned request for the SBOM if it's necessary for them to check compliance.

The CRA also gives the Commission the power to specify the format and elements of the SBOM through implementing acts (Article 13, Paragraph 24).

Key Takeway

An SBOM is a mandatory part of documenting your vulnerability handling processes within your Technical Documentation. It serves as your software's ingredient list, demonstrating supply chain awareness and enabling effective vulnerability tracking.