Exploring software bill of materials collection

  • Release version: Australia
  • Updated May 1, 2026
  • 3 minutes to read

    • Third-party Risk Management (TPRM) collects software bill of materials (SBOM) files through engagement-level due diligence. This topic covers the users and workflow involved.

    SBOM overview

    A software bill of materials is a structured inventory file generated by a software vendor that lists the components, libraries, and dependencies used in a product. Third-party Risk Management supports collecting SBOM files as part of the due diligence process for third-party engagements.

    SBOM files follow industry-standard formats. Third parties typically provide SBOM files in JSON format. XML formats are also supported. The third party generates and maintains SBOM files and uploads them through the engagement's external assessment for collection and processing. Third-party Risk Management collects, parses, and associates the submitted file with related records.

    Important:
    SBOM collection is supported only for engagements that use the Smart Assessment Engine (SAE). Classic assessments are not supported.

    SBOM users

    Table 1. Users
    User Description
    Third-party risk assessor Sends assessments to third-party contacts and reviews submitted and processed SBOM information for an engagement. Can access the SBOM workspace.
    Third-party risk manager Oversees SBOM collection across engagements and uses submitted information to support risk evaluation. Can access the SBOM workspace.
    Third-party administrator Configures access and permissions to support SBOM collection and review across engagements. Can access the SBOM workspace.
    Third-party assessment reviewer Can view SBOM component records on the engagement and third-party records. Does not have access to the SBOM workspace.
    Third-party contact Receives the engagement's external assessment through the portal and uploads an SBOM file on behalf of their organization.

    SBOM workflow

    The SBOM collection workflow runs as part of the standard due diligence process for a third-party engagement. When the SBOM required field is selected on the due diligence request and the engagement uses the SAE, the system automatically associates an SBOM questionnaire template with the external assessment for the engagement.

    1. An employee at your organization requesting due diligence selects the SBOM required field on the due diligence request.
    2. When the due diligence request advances to the due diligence stage, the system automatically associates the SBOM questionnaire template with the external assessment for the engagement.
    3. The engagement contact receives the assessment through the third-party portal and uploads the SBOM file.

    4. Post-assessment processing sends the file to the SBOM API, provided by Unified Security Exposure Management (USEM) (Unified Security Exposure Management). The outcome depends on the third party's response:

      • If the file is valid, parsed component records are associated with the engagement and, where applicable, the related third-party record.
      • If the file cannot be parsed, the assessment is reopened for resubmission.
      • If the third party declines to provide an SBOM, the assessment is closed.

      For details on each path, see Request a software bill of materials from an engagement.

      For troubleshooting API processing issues, see the Unified Security Exposure Management (USEM) documentation.

    5. The third-party risk manager reviews SBOM information in the engagement context.
    Note:
    After activating the required applications and using SAE-based due diligence, the automation attaches the default SBOM questionnaire when SBOM required is selected. Your organization can also configure which evaluations or conditions trigger SBOM collection.

    SBOM benefits

    Table 2. SBOM benefits
    Benefit Feature Users
    Request SBOM data as part of due diligence for a third-party engagement. SBOM collection Third-party risk assessor, third-party risk manager
    Review submitted SBOM files and related processing activity in the engagement context. Assessment activity and processing Third-party risk assessor, third-party risk manager
    Review parsed software component declarations for the engagement and, where applicable, related third-party context. Parsed component records Third-party risk assessor, third-party risk manager
    If your instance has the SBOM Response and Vulnerability Response applications installed, access vulnerability details associated with declared SBOM components. Vulnerability details Third-party risk assessor, third-party risk manager

    What to explore next

    The following topics cover collecting and reviewing SBOM data in Third-party Risk Management: