SBOM management and VEX publishing
turn the procurement-checkbox SBOM into a live operating record

The SBOM is generated to satisfy a procurement questionnaire and immediately filed in a shared drive. The artefact exists; the operating discipline does not. When a transitive CVE drops, the lookback question cannot be answered from the SBOM because it was never linked to the build, the asset, or the deployed inventory. Procurement passes; vulnerability management gets no signal.

Inbound SBOMs from upstream vendors arrive as attachments to procurement contracts and never enter the security record. The recursive question (which upstream component introduces the CVE downstream consumers are asking about) cannot be answered because the upstream component catalogue is not indexed. The next supply-chain compromise turns into an emergency reconstruction project.

A customer asks whether the product is exposed to a high-profile CVE. A security engineer answers in chat or email with the correct rationale, but the answer is never written back to the finding. The next customer asks the same question two weeks later and receives a different answer because the institutional memory of the prior decision lives in a search index nobody trusts.

Upstream suppliers ship SPDX, CycloneDX, proprietary JSON, and PDF attachments. The programme accepts every format and never normalises against a canonical component identifier such as Package URL (purl) or CPE. The vulnerability-matching layer reads each format separately and the recursive picture never resolves because the same library appears under three different names across three suppliers.

SBOMs are generated per build but never linked to the build that actually shipped to production. The component catalogue available to the security team reflects the latest build pipeline, not the version the customer is running. The exposure picture answers correctly for the next release and wrongly for the live deployment.

A VEX statement marked not affected is captured against a finding and never reviewed. Six months later, the application has shipped two refactors, the reachability claim no longer holds, and the VEX statement still says not affected. The audit lookback finds VEX statements that have outlived the conditions they were issued against and the programme loses its defensible posture.

The SBOM regenerates on every successful build of every release artefact at minimum, with a documented re-generation trigger on dependency upgrades, on container base-image rebuilds, on firmware re-flashes, and on every formal release. The cadence and trigger conditions live on the engagement record so the next release inherits the policy rather than re-litigating it.

The programme picks SPDX, CycloneDX, or both as the canonical generation format and standardises on Package URL (purl) or CPE as the canonical component identifier across SBOM, vulnerability matching, and VEX. The format choice lives in the policy so cross-product normalisation is a transformation rather than a regeneration. Mixed formats are accepted on ingestion and converted to the canonical form before they hit the component catalogue.

Inbound SBOMs from upstream vendors, base images, and dependency suppliers land on the engagement record as document attachments with the supplier, the artefact version, the receipt date, the format, and the verification status (signed, unsigned, supplier-attested). The provenance rule defines which suppliers must ship an SBOM, in which format, and the cadence the programme expects updates against.

Every SBOM is bound to the running asset that ships it: the verified domain for SaaS services, the deployed application identifier for first-party software, the container image digest for containerised services, the firmware build identifier for embedded systems. The binding rule produces a queryable map from CVE to affected asset rather than from CVE to component-name-only.

Every VEX statement (affected, not affected, fixed, under investigation) carries the named issuer, the issue date, the rationale, the supporting evidence link on the engagement record, the customer or audience the statement was issued to, and the review trigger that revalidates the statement. Statuses with no review trigger expire after a defensible default window (90 days is common); statuses on the engagement record stay defensible against the next audit lookback.

The policy names which downstream consumers receive the current SBOM and VEX (customers under NDA, procurement auditors with a signed access agreement, internal audit, regulators where a notification clock applies), through which channel (branded client portal, structured export, signed PDF artefact), and on what cadence. The delivery record lands on the activity log so the procurement audit can reconstruct who received which version when.

Customer procurement teams ask for the SBOM that matches the version their organisation is running, the VEX status across high-profile CVEs in the portfolio, and the cadence on which the SBOM regenerates. The branded client portal exposes the live SBOM and VEX status against per-tenant access so the procurement answer reads off the same record the engineering team is closing findings against.

AppSec triages new CVE matches against the component catalogue, classifies reachability where it applies, and routes the finding to the engineering owner. Product security carries the VEX statement record per finding and the customer-facing communication cadence. Both read against the same engagement record so the internal triage decision and the external statement do not diverge.

The vulnerability-management programme inherits the matched findings from the SBOM-against-vulnerability-database run as part of the wider backlog. SBOM-derived findings sit alongside DAST, SAST, secret-scanning, and external-scan findings on the same engagement so the prioritisation queue reads as one source rather than a parallel SCA pipeline.

GRC reads the SBOM and VEX history against EO 14028, NTIA minimum elements, NIS2, DORA, the EU CRA, NIST SSDF, and sector-specific expectations like FDA cybersecurity guidance. The activity log CSV export of every generation event, ingestion event, VEX issuance, and downstream delivery is the audit-read artefact the regulator-facing answer assembles from.

Leadership reads the supplier coverage map (which suppliers ship SBOMs, which formats, with what cadence), the supply-chain CVE exposure rate, the VEX coverage rate across high-priority CVEs, the customer-facing delivery latency, and the per-supplier risk concentration. AI-assisted report generation drafts the leadership narrative against the live engagement so the board view, the operational queue, and the audit lookback all reconcile.

U.S. Executive Order 14028 establishes the federal expectation that software suppliers provide SBOMs that meet the NTIA Minimum Elements published 12 July 2021. The minimum elements name the data fields per component (author, supplier, name, version, unique identifier, dependency relationship, timestamp), the automation expectation (machine-readable format such as SPDX, CycloneDX, or SWID), and the practices and processes (regeneration frequency, recursion depth, distribution, access control). A canonical engagement record covering generation, ingestion, asset binding, vulnerability matching, VEX statements, and downstream delivery satisfies the EO 14028 evidence ask without a parallel attestation per release.

CISA SBOM-at-a-Glance and the wider CISA SBOM resources extend the NTIA baseline with deployment, distribution, and consumption guidance. The expectation is that the SBOM travels with the artefact, the consumer can verify the SBOM against the artefact, and the SBOM is current with the version that shipped. The engagement record carries the build-to-SBOM provenance, the asset-to-SBOM binding, and the activity log of every regeneration event so the CISA-style consumption read holds up against the lookback question.

Article 21 of NIS2 requires that essential and important entities apply appropriate technical, operational, and organisational measures to manage cybersecurity risks of network and information systems they use, including supply-chain security. Annex I and the accompanying secondary acts expect documented evidence of the supply-chain risk assessment, the criticality assessment of suppliers, and the response to identified vulnerabilities in supplied components. The SBOM and VEX record covering generation, ingestion, matching, status assertion, and downstream delivery is the audit-read artefact the regulator expects for the supply-chain leg of the NIS2 risk-management obligation.

The Digital Operational Resilience Act for the EU financial sector expects in-scope financial entities to identify, monitor, and manage ICT third-party risk, including third-party software components, on a documented basis. Article 28 names the contractual and operational expectations on critical ICT third-party service providers, and the broader regulation expects the entity to maintain a register of ICT third-party service contracts and to be able to evidence the supply-chain risk picture. The SBOM and VEX engagement record produces the supplier-level component catalogue, the vulnerability picture per supplier, and the response decision per CVE that the DORA register reads from.

The EU Cyber Resilience Act establishes cybersecurity requirements for products with digital elements placed on the EU market, including software components. The regulation expects manufacturers to maintain a software bill of materials covering top-level dependencies, to identify and remediate vulnerabilities for the lifetime of the product, and to issue advisories and provide updates. The engagement record covering SBOM generation, vulnerability matching, VEX statements, and downstream advisory delivery is the operating layer the manufacturer evidence trail reads against.

PW.4 (Reuse Existing, Well-Secured Software When Feasible) expects documented evidence that third-party components are inventoried and assessed for security; PW.5 (Create Source Code by Adhering to Secure Coding Practices) and PS.3 (Make Software Available as a Verified Item) expect verifiable provenance for components included in the build; RV.1 (Identify and Confirm Vulnerabilities on an Ongoing Basis) and RV.2 (Assess, Prioritize, and Remediate Vulnerabilities) expect ongoing vulnerability identification and prioritisation against third-party components. The SBOM and VEX workflow on the engagement satisfies the SSDF evidence ask across the PW, PS, and RV practice groups.

The FDA Premarket Cybersecurity Guidance for medical devices (September 2023) and the related Refuse to Accept policy expect a software bill of materials to be submitted with premarket submissions for cyber devices, with the SBOM covering commercial, open-source, and off-the-shelf software components. The post-market expectation is that manufacturers maintain SBOMs across the device lifecycle, monitor for vulnerabilities, and provide advisories. The engagement record covering generation, ingestion, matching, VEX statements, and the activity log is the operating evidence trail the FDA lookback reads against.

• Dependency vulnerability triage for the per-finding lifecycle on SBOM-derived component-CVE matches.
• Customer security evidence room for the wider customer-facing artefact delivery channel.
• Vendor security questionnaire response for the outbound side when your organisation receives an inbound SBOM request.
• PSIRT incident response for the case where a supply-chain CVE escalates to a public advisory.

• SLSA framework explained for the supply-chain integrity layer above SBOM.
• CISA secure software development attestation for the federal attestation expectation that pairs with SBOM.
• EU Cyber Resilience Act vulnerability handling for the CRA expectation on SBOM lifecycle.
• NIST SP 800-161 C-SCRM for the cyber supply-chain risk-management framework that reads against the SBOM and VEX record.
• CISA KEV catalog vulnerability management for the prioritisation signal that promotes SBOM matches to the front of the queue.
• Reachability analysis for vulnerability prioritisation for the input that supports the VEX not-affected rationale.

A high-profile CVE drops against a transitive component. The exposure question (which assets carry the component, at what version, supplied by which upstream) resolves as a query against the engagement record rather than as a reconstruction project across a folder of attachments.

Every VEX statement carries the named issuer, the issue date, the rationale, and the supporting evidence link on the engagement record so the next customer who asks the same question receives the same answer, and the next audit lookback reconstructs the history without searching chat.

Inbound SBOMs from upstream suppliers, first-party SBOMs from the build pipeline, and dependency findings from code scanning share one canonical component identifier so the recursive picture (which supplier introduced which component into which product) reads as one query.

The customer-facing answer to a procurement questionnaire, the AppSec triage queue, the engineering remediation plan, and the audit-read evidence all assemble from the same engagement record so the procurement claim, the operational queue, and the audit lookback never disagree.