Operations Bill of Materials (OBOM)


Full-stack inventory of runtime environments, configurations, and additional dependencies

Software Bill of Materials
Software-as-a-Service BOM
Vulnerability Exploitability Exchange
Hardware Bill of Materials
Operations Bill of Materials
Vulnerability Disclosure Report
Javascript Object Notation
Extensible Markup Language
Protocol Buffers

CycloneDX is a full-stack bill of materials standard supporting entire runtime environments consisting of hardware, firmware, containers, operating systems, applications and their libraries. Coupled with the ability to specify configuration makes CycloneDX ideal for Operational Bill of Materials. OBOM is a security behavior defined in BSIMM and similar maturity models.

CycloneDX properties provide a mechanism to store configuration on a per-component and per-service basis inside a BOM. The specification also provides a mechanism to store URLs to documentation, including configuration management systems.

Independent OBOM and SBOM

Inventory described in a SBOM will typically remain static until such time the inventory changes. However, operational information may be dynamic and subject to change. Therefore, it is recommended to decouple the OBOM from the SBOM. This allows OBOM information to be updated without having to create and track additional SBOMs.

Independent SBOM and OBOM Document

High-Level Object Model

CycloneDX Object Model Swimlane



BOMs demonstrating OBOM capabilities can be found at https://github.com/CycloneDX/bom-examples

See also

Additional Capabilities

CycloneDX Supporters

Contrast Security
Ecma International
Fortress Information Security
Lockheed Martin