Skip to main content

Register for Open Source SecurityCon 2025

search

Improving Risk Management Decisions with SBOM Data: A New Whitepaper from the OpenSSF SBOM Everywhere SIG

By September 18, 2025Blog

Why this whitepaper matters, and how to put it to work

By Anita D’Amico, David A. Wheeler, Kate Stewart and Josh Bressers

SBOMs are becoming part of everyday software practice, but many teams still ask the same question: how do we turn SBOM data into decisions we can trust? Our new whitepaper, “Improving Risk Management Decisions with SBOM Data,” answers that by tying SBOM information to concrete risk-management outcomes across engineering, security, legal, and operations.

What this paper does

  • Shows how to align SBOM work with real business motivations like resiliency, release confidence, and compliance.
  • Describes what “decision-ready” SBOMs look like, and how to judge data quality.
  • Maps SBOM signals to real-world actions, for example, identify end-of-life components, prioritize maintenance, and accelerate incident response.
  • Offers practical guidance on governance and change management so improvements stick.

Why we are publishing it at OpenSSF

This paper began in the SBOM Operations Tiger Team, a community-led effort facilitated by CISA. When the original publication path stalled, the authors submitted the work to OpenSSF for community review and stewardship. The SBOM Everywhere Special Interest Group, with input from contributors across our community, refined the document. Publishing at OpenSSF gives this guidance an open home with a pathway for maintenance and iteration.

“Our goal is simple: make SBOMs useful in day-to-day decisions for mitigating risk, not just a tick box item.”  – Kate Stewart, VP of Dependable Embedded Systems, The Linux Foundation

“SBOMs aren’t a goal by themselves, they’re information to help people make better decisions. This document enables users to clarify how they’re using SBOMs so that the generators and distributors of SBOMs can ensure they’re meeting their users’ needs.” – David A. Wheeler, Director of Open Source Supply Chain Security, The Linux Foundation

“A common question around SBOM usage is ‘what can I do with it’. This isn’t a failure in the ability of SBOMs, but rather a gap in SBOM evangelism. This resource is a great way to help with SBOM understanding and awareness.” – Josh Bressers, VP of Security, Anchore

“This document is the first to graphically depict the SBOM Lifecycle and describe the major operations that users perform with an SBOM as it moves through the three phases of production, sharing and consumption. It provides practical examples of how both Producers and Consumers use SBOMs to inform decisions about software security, licensing, supportability, and compliance risks.” – Anita D’Amico, President, Cotopaxi Consulting

How to use the guidance

  1. Start with motivation. Pick a business driver first. For example, reduce incident impact or shorten time to triage.
  2. Acquire the SBOM. An SBOM could be provided by a supplier, or it could be generated in house. SBOM documents should conform to known standards and formats such as SPDX and CycloneDX.
  3. Connect to actions. Tie SBOM findings to clear playbooks: replace EOL components, page owners for unmaintained code, or trigger supplier questions.
  4. Measure. Track outcomes like time to detect and time to remediate. If metrics do not move, adjust the workflow, not just the data source.

About this paper

Improving Risk Management Decisions with SBOM Data was drafted by contributors in the SBOM Operations Working Group (community-led, facilitated by CISA). It was reviewed and refined by the OpenSSF SBOM Everywhere SIG with contributions from the OpenSSF community, and is now published and maintained by OpenSSF.
Legal note: This is a community document. It does not represent the official views or policies of CISA, the U.S. Government, OpenSSF, the Linux Foundation, or any contributor’s employer. The views are those of the authors and contributors.

Get involved with SBOM Everywhere

The SBOM Everywhere SIG is part of OpenSSF’s Security Tooling Working Group and is open to everyone. You can:

Join the SBOM Monday Coffee Club

We also host an open, weekly community meetup on SBOMs.

  • When: Mondays at 11:00 am Eastern Time
  • Who: anyone from industry, government, and open source
  • Format: informal discussion, quick share-outs, occasional demos, and running notes
  • How to join: see the OpenSSF Community Calendar for the link and agenda: https://openssf.org/getinvolved/

Calls to action

About the Authors

Dr. David A. Wheeler is an expert on developing secure software and on open source software.  He created the Open Source Security Foundation (OpenSSF) courses “Developing Secure Software” (LFD121) and “Understanding the EU Cyber Resilience Act (CRA)” (LFEL1001). He is completing creation of the OpenSSF course “Secure AI/ML-Driven Software Development” (LFEL1012).  His other contributions include “Fully Countering Trusting Trust through Diverse Double-Compiling (DDC)”.

He is the Director of Open Source Supply Chain Security at the Linux Foundation and teaches a graduate course in developing secure software at George Mason University (GMU).  Dr. Wheeler has a PhD in Information Technology, a Master’s in Computer Science, and a B.S. in Electronics Engineering, all from George Mason University (GMU), along with certificates in Information Security and Software Engineering.  He is a Certified Information Systems Security  Professional (CISSP) and a Senior Member of the Institute of Electrical and Electronics Engineers (IEEE).

Kate Stewart is the VP of Dependable Embedded Systems at the Linux Foundation, and has a specific focus on improving software transparency to enable security updates in safety critical systems.  Since joining the Linux Foundation, she has launched and is the director for the Zephyr project and ELISA projects, as well as supporting other embedded projects working towards safety certification and adoption of security best practices.

Kate is an active member of the OpenSSF where she also co-leads the SBOM Everywhere project.  She was a co-lead for the formats and tooling working group in the initial SBOM discussions hosted by NTIA,  and was a co-lead for the community stakeholder framing document work that was hosted by CISA.  She is also one of the founders of the SPDX project in 2009, as is currently the technical committee co-lead.

Josh Bressers is the Vice President of Security at Anchore, where he guides security features and serves as a public evangelist on topics like compliance, open source, and software supply chain security. With a career spanning over 20 years, Josh has a deep-rooted history in the open-source security community. Prior to Anchore, he built the product security team at Elastic and was an early member of the Red Hat Security Response Team, where he later founded the Product Security Team. Josh is a passionate contributor to the security community, he hosts both the “Open Source Security Podcast” and the “Hacker History Podcast.” Josh is an active member of the OpenSSF where he also co-leads the SBOM Everywhere project.

Dr. Anita D’Amico was co-leader of the SBOM Operations Working Group, an international, community-led tiger team facilitated by CISA, and she served as senior editor of their final report. She has directed several software security organizations over the past two decades: as Director of Secure Decisions, a cybersecurity R&D company; CEO of Code Dx, Inc., a startup acquired by Synopsys; and VP of Products at Synopsys Software Integrity Group (now Black Duck), where she also led their software supply chain security strategy.

Anita currently serves on the Board of Directors of Vigilant Ops, Inc., advises early-stage cybersecurity companies, and mentors rising cybersecurity leaders.

Dr. D’Amico holds a PhD in psychology from Adelphi University and a BA from the University of Pennsylvania. She has amassed an internationally-cited portfolio of research and publications on cybersecurity decision making and how to visually communicate complex cybersecurity data.