Operations Bill of Materials (OBOM)

Software Bill of Materials

Software-as-a-Service BOM

Vulnerability Exploitability Exchange

Manufacturing Bill of Materials

Operations Bill of Materials

Bill of Vulnerabilities

Javascript Object Notation

Extensible Markup Language

Protocol Buffers

CycloneDX is a full-stack bill of materials standard supporting entire runtime environments consisting of hardware, firmware, containers, operating systems, applications and their libraries. Coupled with the ability to specify configuration makes CycloneDX ideal for Operational Bill of Materials. OBOM is a security behavior defined in BSIMM and similar maturity models.

CycloneDX properties provide a mechanism to store configuration on a per-component and per-service basis inside a BOM. The specification also provides a mechanism to store URLs to documentation, including configuration management systems.

Independent OBOM and SBOM

Inventory described in a SBOM will typically remain static until such time the inventory changes. However, operational information may be dynamic and subject to change. Therefore, it is recommended to decouple the OBOM from the SBOM. This allows OBOM information to be updated without having to create and track additional SBOMs.

Independent SBOM and OBOM Document

High-Level Object Model

CycloneDX Object Model Swimlane

References

BSIMM SE3.6 - Enhance application inventory with operations bill of materials

Examples

BOMs demonstrating OBOM capabilities can be found at https://github.com/CycloneDX/sbom-examples