CycloneDX (ECMA-424)
A full stack Bill of Materials standard providing advanced supply chain capabilities for cyber risk reduction. Supports software, hardware, cryptography, machine learning, services, manufacturing, and operations.
Resources
The primary sources I point clients to
Everything here is open and free to use. When an engagement starts, we work from these materials rather than a proprietary methodology. No black boxes.
Standards
Specifications I chair or lead
These are the documents regulators cite and enterprise programs implement. Each is community driven and actively maintained.
OWASP Software Component Verification Standard (SCVS)
A community driven framework for identifying and reducing risk in the software supply chain. Referenced by the U.S. National Institute of Standards and Technology (NIST) in the Secure Software Development Framework (SSDF).
Transparency Exchange API
An Ecma TC54 standard under development for discovering and sharing software transparency information across organizations and ecosystems.
Package-URL (purl)
A specification for identifying and locating software packages across diverse ecosystems. A foundational identifier across Software Bill of Materials (SBOM), Vulnerability Exploitability eXchange (VEX), vulnerability data, and attestations.
OWASP Common Lifecycle Enumeration (CLE)
A standardized vocabulary for describing software lifecycle states, phases, and events, enabling consistent reasoning about maintenance, support, and end of life.
Ecma International Technical Committee 54 (TC54)
The technical committee chartered to standardize the OWASP CycloneDX Bill of Materials specification and the broader family of software and system transparency standards.
Recommended reading
External sources I trust
Primary source material regulators and practitioners should know. I do not maintain these, but I reference them often and you should too.
- NIST Special Publication (SP) 800-218. Secure Software Development Framework (SSDF), published by the U.S. National Institute of Standards and Technology.
- EU Regulation 2024/2847. Cyber Resilience Act (CRA). Annex I Part I sets secure by design and secure by default obligations. Annex I Part II requires a machine readable Software Bill of Materials (SBOM) covering top level dependencies and a coordinated vulnerability disclosure process.
- Executive Order 14028. Improving the Nation's Cybersecurity. The U.S. federal attestation baseline. Still in force after EO 14306 (June 2025) rescinded the EO 14144 enhancements.
- Office of Management and Budget (OMB) Memoranda M-22-18 and M-23-16. Attestation of secure software development practices for U.S. federal agencies. Read M-22-18 and the M-23-16 update.
- FDA guidance on premarket cybersecurity. U.S. Food and Drug Administration guidance, including Section 524B of the Federal Food, Drug, and Cosmetic Act (FD&C Act).
- CISA SBOM resources. Working group outputs and sharing guidance from the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
- BSI Technical Guideline TR-03183. Cyber Resilience Requirements for Manufacturers and Products, published by the German Federal Office for Information Security (BSI). Part 2 covers the Software Bill of Materials (SBOM) and provides practical orientation for CRA implementation, requiring CycloneDX or SPDX as the SBOM exchange formats.
- ENISA guidance on software supply chain. European Union Agency for Cybersecurity (ENISA). Good practices for supply chain cybersecurity covering risk management, supplier relationships, vulnerability handling, and product quality.
- ENISA Security by Design and Default Playbook (draft v0.4). Public consultation draft published March 2026. Translates CRA security requirements into 22 practical checklists across 14 secure by design and 8 secure by default principles, with minimum evidence sets and release gates aimed at small and medium sized manufacturers.
Need a tailored reading list?
Send me a note describing your role, industry, and objective. I will send a short, curated list that cuts through the volume, free of charge.