SBOM: Software Bill Of Materials

Software Bill of Materials

Exploring a Proof-of-Concept for the Energy Community
Video Library

Partnering to Support SBOM Adoption by the Energy Sector

The Energy Sector Software Bill Of Materials (SBOM) Proof of Concept (POC) effort is a partnership between DOE CESER and the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) to develop and explore the application of SBOMs within energy sector environments. Using an open, transparent, consensus-based process, this diverse stakeholder group is developing tools, technologies, and use cases to catalyze SBOM adoption by technology vendors and asset owners in the energy sector.

The SBOM POC group has met monthly since April 2021 to advance SBOM development in the energy sector and share information with the stakeholder community.

Latest SBOM POC Meeting

Automating SBOMs and Lessons Learned from generating BOMs for CyTRICS

March 20, 2024

Using Surfactant to automate SBOMs, and discussions of lessons learned from generating BOMs for CyTRICS

Meeting Presentation

Meeting Video Library

Automating SBOMs and Lessons Learned from generating BOMs for CyTRICS

March 20 2024
Using Surfactant to automate SBOMs, and discussions of lessons learned from generating BOMs for CyTRICS

Cyber Labeling and SBOM Comparison

January 17 2024
Discussions on the Cyber Labeling Research Initiative and Visualizing Comparisons of Bills of Materials

SBOM Use Cases and CyMANII

December 12 2023
Software Bill of Materials use cases and CyManII Software Trace of a Manufacturing Process/Product

“Wind Supply Chain Security” and “SBOM Regulations”

July 19 2023
Discussion of Wind Supply Chain Security and SBOM Regulations

How are you using SBOMs today?

June 27 2023
Exploring the application of Software Bills of Materials in the Energy Sector.

SBOM Sharing Lifecycle Report

April 19 2023
CESER Partners with CISA to Release New Framework for Software Bill of Materials Sharing.

S4x23 SBOM Challenge Overview and Outcomes

March 15 2023
Recap of the S4x23 Software Bill of Materials (SBOM) challenge along with the results.

Sharing SBOMs

December 14 2022
A joint report on DOE-CESER and DHS-CISA collaborations on SBOM research and development.

Discussion of SBOMs at Microsoft and Google

October 19 2022
Adrian Digilio from Microsoft discusses Microsoft’s Open Source SBOM Tool and Isaac Hepworth from Google discusses Google’s approach to SBOM adoption.

Towards SBOMs in the Nuclear Industry

September 21 2022
A recording of DOE's bi-weekly meeting on SBOMs.

How to Build SBOM from Binaries

August 17 2022
Using CyTRICS program research to tell a "round-about" story of SBOMs.

VEX Energy Overview

June 15 2022
An update to VEX vulnerabilities and some tricks for addressing them.

Debrief of S4 SBOM Exercise

May 18 2022
Discuss exercises and feedback from the S4x22 conference session; CISA working group updates and CycloneDx announcements.

SBOM Transports

March 16 2022
Energy Sector Software Bill of Materials discussion: survey results of software bill of materials transports.

Venues for SBOM Discussion

February 16 2022
A review of SBOM’s activities from past year and preview of discussion opportunities and path ahead for 2022.

Energy SBOM Retrospective

December 01 2021
A retrospective analysis of the past year of Energy SBOM work and brainstorming for the year ahead.

All Hazards Analysis (AHA) VEXing

November 16 2021
Michael Hoover demonstrates how to link SBOM and VEX-driven component-level risk analysis with systemic critical interdependency analysis using INL’s All Hazards Analysis tool, (AHA).

Healthcare Proof of Concept

November 03 2021
Cooking Class: Presented by Tim Walsh of the Mayo Clinic

Juice Shop Demonstration

November 01 2021
A detailed walkthrough of the SBOM elements within the Juiceshop open source product.


October 20 2021
Cooking Show: Dr. Allan Friedman of CISA explains the concept and importance of the Vulnerabilities Exploitability eXchange (VEX) format, for reporting the status of component vulnerabilities.

SBOM Open Source

October 06 2021
Cooking Class: Thomas Steenbergen of discusses how the European auto industry is now using SBOMs in the SPDX format.

Making an SBOM

September 21 2021
Cooking Class: Steve Springett, leader of the OWASP CycloneDX project, demonstrates how to create an SBOM in that format.

Use Cases - Part 2

September 08 2021
Part 2 - This session will discuss use cases for SBOM.

Use Cases - Part 1

August 25 2021
This session will discuss use cases for SBOM.

Minimum Elements for SBOM

July 14 2021
Additional resources: NTIA SBOM Minimum Elements Report The 2019 NTIA Healthcare SBOM POC The Roles and Benefits of SBOM Across the Supply Chain The NTIA SBOM FAQ

Healthcare Lessons Learned

June 30 2021
Cooking Class: Jennings Aske of NY Presbyterian Medical Center and Jim Jacobson of Siemens Healthineers discuss lessons learned in the Healthcare SBOM PoC, which started in 2018 and continues today.


June 16 2021

Mural Synthesis Work

June 02 2021
Agenda: To identify specific topics, use cases, and technology gaps the POC would like to focus on in the remainder of the calendar year. We will be using a tool called MURAL to allow the group to work together and we will send an advance copy of the “board” in ...

Energy SBOM POC Charter

May 19 2021
The Project Charter captures high level planning information (scope, deliverables, assumptions, etc.) about the SBOM Proof of Concept effort. Agenda: Review draft charter for Energy Sector SBOM POC Facilitated feedback and discussion around charter and mission Logistics and organization moving forward

Proof of Concept Kickoff

April 26 2021
Attendees may be interested in this review of SBOM use cases, and the benefits across the ecosystem. We encourage you to review it before Monday’s meeting: NTIA SBOM Use Cases Roles and Benefits, 2019 [PDF] NTIA SBOM Use Cases Roles and Benefits, 2019 [PDF]

Planning a POC for Energy Community

April 14 2021
Explores the SBOM POC effort that later kicked off on April 26, 2021.

Lessons from Energy Community

March 24 2021
Offers lessons from the field, including work with DOE’s CyTRICS program, supplier and customer perspectives on SBOMs in the healthcare field, and perspectives from the automotive and IT industries.

Framing Software Supply Chain Transparency

February 18 2021
Provides a technical deep dive into what an SBOM is, the process for developing SBOMS, and how they are being implemented, including data formats and tools. Presentation: Technical Overview: Framing and Architecture Presentation: Technical Overview: Formats and Tooling

Overview of SBOM Energy POC

January 26 2021
Provides an overview of the SBOM work across a range of industries and communities during the past several years. Presentation: An Overview of SBOM Presentation: SBOM use cases for the energy sector Presentation: Experimenting with SBOM - lessons from the healthcare sector Presentation: Experimenting with SBOM - early steps in ...

Additional Resources

NTIA SBOM Resources

The National Telecommunications and Information Administration (NTIA) led an early multi-stakeholder effort to develop informational and technical resources for SBOMs between 2018-2021.

Click Learn More to review these foundational resources.

Learn More

CISA SBOM Resources

The Energy SBOM POC effort is a partnership between DOE CESER and DHS CISA. CISA is leading other SBOM-related efforts that inform and draw from this work.

Click Learn More to review the CISA workstreams and resources.

Learn More

Illuminating Digital Supply Chain Risk Webinar

April 30, 2021

Auburn University’s McCrary Institute hosted a panel discussion on growing policy support for BOMs, implementation challenges, and strategic use cases. Panelists include representatives from DOE, Idaho National Laboratory, NTIA, Unisys, and Microsoft Azure.

Learn More

Software Bill of Materials Sharing Lifecycle Report

CESER Partners with CISA to Release New Framework for Software Bill of Materials Sharing.

Read the Report
Meeting Presentation