This guide explains the six types of Software Bills of Materials (SBOMs) defined by CISA and how they apply across the software development lifecycle. It describes Design, Source, Build, Analyzed, Deployed, and Runtime SBOMs, highlighting their benefits, limitations, and use cases. The guide emphasizes that SBOMs provide visibility into software components, helping organizations identify vulnerabilities, license risks, and dependency issues. It recommends Build and Analyzed SBOMs for balancing accuracy and efficiency, especially for compliance and risk management. The document also stresses treating SBOMs as an ongoing process rather than a static document, supported by automation and SCA tools to ensure continuous visibility and security.

Join for free to read