SBOM Maturity AssessmentBy landing here you’ve made a great decision. Our SBOM Maturity Framework is based on almost fifteen years of industry expertise focused on helping our customers create a complete inventory of software components—today’s Software Bill of Materials. Answers to this quick 14-question survey will help us assess your current state of SBOM management and offer specific action items to help you move further up the maturity spectrum. Once you’ve answered the questions, click submit and start your journey to realizing the benefits of a complete SBOM management strategy. What is your role in your company? Security Software Engineering/Development Legal ITAM IT Other What type of company do you work for? We are a software provider (sell software applications) We purchase software from software providers (we are a B-to-B company) We purchase software from software providers (we are a B-to-C company) We are both a software provider and we purchase software from providers How does your organization catalog third-party content in your applications? Disclosures only Package-level Forensic level Risk-based hybrid (combination of the above) We don't Which teams consume/use the output of your scan results?(check all that apply) Security Legal Software development/engineering/product management Open Source Program Office/ Formal Centralized Team None Select which option best describes what organization in your company owns the management of open source and third-party components? An open source program office (OSPO) Formal centralized team Engineering/DevSecOps teams Legal Security I don’t know Does your SBOM represent code developed by your partners and third-party suppliers? Yes No I don't know How often do you request a new/updated SBOM? Each release More frequent than each release Less frequent How are you producing SBOMs today? It’s a manual process Homegrown/Open source solution Commercial SCA/SBOM solution We aren’t producing SBOMs Does your SBOM include fields beyond the minimum required by NTIA (National Telecommunications and Information Administration)? Yes No I don’t know Which standardized SBOM format are you using?(check all that apply) SPDX CycloneDX Software Identification Tagging (SWID) Spreadsheet None of the above I don’t know If your customer asked you for an SBOM, how quickly could you provide one? Immediately A day One week In a month Never I don’t know What do you do with SBOMs you construct or obtain from third parties? Nothing Store in a file system Manually assess Ingest into an actionable SBOM management system I don’t know Is your organization able to produce security reports such as VDR and VEX for vulnerability assessment? Yes No I don’t know How effectively did your company handle the identification, impact assessment, and remediation of the Log4j security vulnerabilities in late 2021? It was highly disruptive and followed a mostly manual, reactive process that took place over an extended period of time It was not disruptive. We had an active inventory of all of our instances of Log4j use across the company; just had to search it and schedule remediation work Not applicable; we don’t use Java (Log4j is a Java-based logging utility) I don’t know CommentsThis field is for validation purposes and should be left unchanged.
