Collecting software bill of materials

  • Release version: Australia
  • Updated May 1, 2026
  • 3 minutes to read

    • A software bill of materials provides an inventory of the components, libraries, and dependencies included in a vendor's software. Third-party Risk Management (TPRM) supports collecting SBOM files as part of the due diligence process.

    SBOM overview

    A software bill of materials (SBOM) is a structured inventory file generated by a software vendor that lists the components, libraries, and dependencies used in a product. Risk teams can use SBOM data to review declared components and assess potential exposure associated with those components. Parsed SBOM data can be viewed in TPRM or in Unified Security Exposure Management (USEM) (Unified Security Exposure Management). For more information about SBOM collection in Third-party Risk Management, see Exploring software bill of materials collection.

    SBOM files follow industry-standard formats and must conform to a supported SBOM standard, such as CycloneDX or SPDX. Vendors typically provide SBOM files in JSON format. XML formats are also supported. If a third party uploads a file in any other format, such as PDF or Word, the system returns a parse error. For details on preparing and formatting SBOM files, see the Unified Security Exposure Management (USEM) SBOM documentation.

    Note:
    The vendor generates and maintains SBOM files using their own tooling. The ServiceNow platform does not create or edit SBOM files. Third-party Risk Management collects, parses, and links the submitted file to related records.

    SBOM collection in Third-party Risk Management

    SBOM collection occurs during third-party due diligence. The SBOM required field on the third-party due diligence request form indicates when SBOM collection is required for an engagement. When selected, the system associates an SBOM questionnaire template with the external assessment for that engagement.

    The questionnaire is sent to an engagement contact through the third-party portal as part of the engagement-level external assessment. No additional assessments or alternate workflows are introduced as part of this process.

    When the assessment is submitted, post-assessment processing sends the uploaded file to the SBOM API, provided by Unified Security Exposure Management (USEM) (Unified Security Exposure Management). Parsed SBOM component records are then associated with the relevant engagement and, where applicable, the related third-party record. The outcome of processing depends on the third party's response. For details on each response path, including error handling and third-party decline, see Request a software bill of materials from an engagement. For troubleshooting API processing issues, see the Unified Security Exposure Management (USEM) SBOM documentation.

    The third-party risk assessor, third-party risk manager, and third-party administrator roles can access the SBOM workspace and upload or update manufacturer data. Third-party assessment reviewers can view SBOM component records on the engagement and third-party records but don't have access to the SBOM workspace. Internal reviewers don't have access to the SBOM workspace.

    Note:
    Users with access to the SBOM workspace also require edit access to the CMDB product model table to update the manufacturer field.

    Limitations

    The following constraints apply to SBOM collection:

    • Smart Assessment Engine (SAE) only: SBOM collection is supported only for engagements that use the Smart Assessment Engine. This feature does not support classic assessments.
    • Engagement-level collection: The SBOM questionnaire is associated with the engagement-level vendor risk assessment. This feature does not support collection at the third-party level directly.
    • Supported file formats: JSON and XML are supported. Submitting a file in any other format returns a parse error and reopens the assessment for resubmission.
    • Supported workflows: onboarding, renewal, and reassessment workflows are supported. For renewal and reassessment engagements, existing SBOM records can be updated rather than fully re-uploaded. This feature does not support offboarding.
    • Risk scoring behavior: information derived from SBOM components is not incorporated into the overall Third-party Risk Management risk score by default. Organizations can configure this behavior.
    • Component-to-vendor relationships: SBOM components reference the software manufacturer through the product model record. Automated relationships to sub-vendors or sub-processors are not established.

    Feature availability

    Availability of SBOM- related functionality depends on activated applications and configuration. The core due diligence workflow operates independently of SBOM processing.

    SBOM collection capabilities are available separately. Check your entitlements to determine whether you have access to SBOM collection capabilities. All required applications are available from the ServiceNow Store and must be installed individually.

    The following applications are required to collect and process SBOM files:

    • SBOM Core (sn_sbom_core)
    • Data Model for SBOM (sn_sbom_dm)

    The following additional applications are required to view vulnerability details associated with SBOM components:

    • SBOM Response (sn_sbom_resp)
    • Vulnerability Response (sn_vul)
    Note:
    Some SBOM capabilities require additional configuration after installation. For more information, see Activate SBOM support.