Software Bill of Materials (SBOM) Maturity Model and Implementation Plan

Purpose

This document outlines the direction Aspose needs to take as a software producer and consumer to enhance transparency and, more importantly, gain visibility into the security of our software supply chain. Aspose is assessing a rapidly evolving regulatory environment with references to SBOM requirements in numerous draft laws, U.S. and international executive orders, customer requests, and various community standards and specifications.

Why SBOMs are Important

1. Transparency as a Core Value
   Providing accurate details on software components—including lineage and vulnerability data—aligns with Aspose’s values and its commitment as an open-core company. SBOMs are crucial to achieving software transparency.

2. Addressing Risks from Software Dependencies
   SBOMs from other companies and open-source projects enable Aspose to make quick, risk-based decisions, reducing the risk posed by unknown dependencies and vulnerabilities.

3. Competitive Advantage
   As a leader in DevSecOps, Aspose is held to a higher standard and must lead in SBOMs from a product and customer trust perspective.

4. Efficiency Through Standardization
   Using standard formats like CycloneDX and VEX helps streamline information flow, ensuring both Aspose and its customers can easily verify dependencies and the status of vulnerabilities.

5. Regulatory Compliance
   While binding requirements are limited, SBOMs have been referenced in U.S. federal mandates, including an Executive Order, the National Cybersecurity Strategy, NIST standards, and draft legislation. Non-U.S. regulatory frameworks are following, with the regulatory landscape expected to evolve significantly.

Aspose is working on the development of the Software Specification and plans to publish it in H2 2025.

Сustomers can get access to the PDF or TXT version within each product download in the meantime.