The exponential growth of software supply chain attacks has triggered an industrywide push for increased transparency around the provenance and content of the programs and code that are brought into today\u2019s systems. One artifact playing a critical role in that increased transparency is the software bill of materials (SBOM) or, more broadly, bills of material (BOMs), as there are several types.\n\nOne organization that continues to be a leader in evangelism for these formal, structured records that detail the components of a software product and their supply chain relationships is the Open Worldwide Application Security Project (OWASP), a nonprofit foundation that works to improve the security of software. OWASP has continued to provide guidance and resources to ensure the industry can successfully adopt and utilize them. In addition to being the home of one of the leading SBOM formats in CycloneDX and the source of the OWASP CycloneDX Authoritative Guide to SBOM, the team recently announced the release of its BOM Maturity Model.\n\nIts goal is to \u201cprovide a formalized structure in which bills of materials can be evaluated for a wide range of capabilities.\u201d These include a formal taxonomy of different data types, unique identifiers, descriptions, and other metadata as well as various levels of complexity to support different types of data. Here's what the BOM Maturity Model consists of and how it may be used by the industry, focusing on SBOMs due to their importance in the cybersecurity ecosystem when it comes to software supply chain security.\n\nWhat should be in an SBOM?\n\nWhile there is much debate about what exactly an SBOM should contain and how much data and metadata is sufficient, one leading resource is often cited, the \u201cThe Minimum Elements for a Software Bill of Materials\u201d as defined by the National Telecommunications and Information Administration (NTIA). Much of the momentum to consider SBOMs, especially in the federal space following the issuance of Cybersecurity Executive Order 14028 in 2021, was driven by the NTIA.\n\nThe minimum elements documents define the below data fields as baseline information that should be tracked and maintained for a piece of software via an SBOM:\n\nDespite these being recommended as the minimum elements for an SBOM, studies by organizations such as Chainguard demonstrate that only 1% of SBOMs sampled were entirely conformant with the defined minimum elements. This was from a sample size of 3,000 SBOMs using an OSS tool known as ntia-conformance-checker. In addition to the lack of entire conformance, it found that one-third of SBOMs didn\u2019t specify a name or version for all components and the existing tooling in the space produced disparate and inconsistent outputs, further complicating the matter. Needless to say, the industry has a lot of maturing to do when it comes to SBOM completeness and quality.\n\nEnter the BOM Maturity Model\n\nThe goal of the BOM Maturity Model is to provide a formalized structure to evaluate the maturity of BOMs, including SBOMs, across various criteria. The project states that it can function as a mechanism to evaluate whether incoming BOMs align with organizational requirements, assess BOM generation and consumption tools and determine how current and future BOM formats fit into organizational requirements.\n\nHere are some of the key aspects of the BOM Maturity Model and how it may be used.\n\nDifficulty Levels\n\nFirst up is the support for measuring the various difficulty levels of obtaining a BOM. These include Low, Moderate and High, with each posing increased difficulty in obtaining an accurate BOM.\n\nSupport Levels\n\nSupport covers the various weighted levels assessing the level of native support within a specification for data fields and the level of parsing and enrichment that may be required to get the data to the desired completeness. Support levels range from 0-5, going from entirely unsupported to natively supported, as demonstrated in the table below.\n\nTaxonomy\n\nThe Taxonomy section of the BOM Maturity Model is the most comprehensive and extensible, covering a significant array of metadata that can be used to inform the analysis and information associated with a BOM and the components, software, and systems it represents. Below are some of the key areas of the taxonomy, along with a brief discussion on their associated details and fields.\n\nProfiles\n\nProfiles are among the most promising aspects of the BOM Maturity Model, allowing organizations to define globally universal profiles across the organization as well as specific profiles for stakeholders interested in specific data and metrics. The profiles can empower use cases such as analyzing BOMs to determine what use cases they can be used for and defining organizational profiles around what data is desired or required to perform the necessary analysis on a BOM.\n\nA journey toward bill-of-materials maturity\n\nMuch as with other industry efforts such as zero trust, the journey towards establishing widespread mature BOMs with sufficient detail and depth will be just that -- a journey. That said, resources such as OWASP\u2019s SBOM Guide and the BOM Maturity Model can serve as great tools that organizations, software suppliers and consumers can use to mature their implementation of SBOMs and ensure they are providing sufficient insight and details to be used in activities such as software asset inventory, vulnerability management and software supply chain security.\n\nHowever, as demonstrated in the study cited earlier, as an industry we\u2019re in the infancy of mature BOM adoption and implementation. While the journey may seem daunting, the alternative is continuing the historical status quo of blind software consumption with limited transparency and insight into the software we are consuming, its lineage, who\u2019s been involved in it and what has occurred to it along the way. We wouldn\u2019t settle for this level of opaque risky consumption in other industries such as food and pharmaceuticals and with software increasingly driving nearly every aspect of society, we shouldn\u2019t settle for a lack of transparency here either.