BSI

Overview This is the fourth part of our SBOM compliance series. In the previous post, we discussed BSI TR-03183-2 v1.1, Germany’s SBOM compliance framework, and how to validate your SBOM using sbomqs. In this post, we will discuss BSI TR-03183-2 v2.0, the updated version released in September 2024, what changed, what it now expects from an SBOM, and how to check compliance. Let’s go. Context 🇩🇪 Germany’s Federal Office for Information Security (BSI) released version 2.0.0 of TR-03183-2 on 2024-09-20. This is a significant update, not just a clarification pass. v2.0 adds new required fields, introduces a brand new optional tier, tightens the language around vulnerability information. ...

Overview This is the third part of our SBOM compliance series. In the previous post, we discussed Framing Software Component Transparency (FSCT), how it builds on NTIA and shifts the focus from minimum presence to meaningful transparency. In this post, we will discuss BSI TR-03183-2 v1.1, Germany’s SBOM compliance framework, why it exists, what it expects from an SBOM, and how it compares to what we’ve seen so far. Let’s go. ...

Hey SBOM community, Love to see you back here learning something new. If you’re working with SBOMs, you probably know that generating SBOM is just a first step. What you get after generating SBOM is just a raw SBOM ? And the raw SBOM is incomplete, inaccurate sometime and most importantly not even comply with NTIA minimum element according to this research whitepaper. ...

Hey there 👋 SBOM practitioners, compliance engineers, and open-source watchers! If you’ve been working with SBOMs lately—whether you’re producing them or consuming them—you’ve probably noticed how quickly they’ve gone from “nice to have” to absolutely essential. I hope now your getting comfortable on working with SBOMs and familiar with software supply chain security terminologies. We all are well-known about the wake-up call on SBOMs, ...