Hi Shimon,
According to the current eStar template, the SBOM needs to be included in the Cybersecurity Risk Management documentation section along with Threat Modeling, Unresolved Anomalies, Cybersecurity Controls, Traceability Matrix and Cybersecurity Testing which should likely be split into the following documents and then combined to form one pdf (at least thats how I see it): Security Risk Management Plan, Threat Modeling Overview, Cybersecurity Risk Assessment, Security Risk Management Report and then there is a separate section of the eStar for the Cybersecurity Management Plan.
Hope that helps! If anyone has a recommendation for an open-sourced SBOM that would be greatly appreciated.
------------------------------
Sebastian Feye
Accurate Consultants
San Diego CA
United States
------------------------------
Original Message:
Sent: 06-Dec-2023 08:01
From: Shimon Vaknin
Subject: SBOM
Hi Everyone,
A short question (I hope):
Where do you document the Software Bill of Material (SBOM) in the submission? I mean, in the SDD, Off-The-Shelf software report, or separately.
Thanks!
Shimon