SBOM Vendor Management vs. SBOM Management - is there a difference? Absolutely

One of the key questions we get from our customers is centered around the capabilities of our SBOM solution. As such, there is often confusion between a SBOM Management Solution versus a SBOM Vendor Management Solution.  Below is a quick description of each:

SBOM Management - SBOM Management Solutions involve the overall process of generating, maintaining, and utilizing SBOMs WITHIN an organization. This includes identifying the components and dependencies used in software projects, generating SBOMs for these projects, updating SBOMs as new versions or patches are released, and integrating SBOMs into the organization's software development and supply chain processes. SBOM management aims to improve transparency, security, and compliance by providing detailed information about the software components used within a organization’s products. 

SBOM Vendor Management - SBOM Vendor Management Solutions specifically focus on managing SBOMs provided by EXTERNAL third-party vendors or suppliers. Many software products incorporate components and dependencies from external vendors, including open-source libraries, commercial software, and other third-party sources. SBOM vendor management involves assessing and managing the SBOMs provided by these vendors to understand the components and dependencies used in their products. This may include evaluating the completeness and accuracy of vendor-provided SBOMs, verifying the risk, security and compliance of included components, and ensuring that vendors adhere to contractual and regulatory requirements related to SBOM disclosure.

In summary, SBOM Management encompasses the broader process of managing SBOMs within an organization, while SBOM Vendor Management specifically focuses on managing SBOMs provided by external vendors or suppliers. Both are important aspects of software supply chain management and contribute to improving transparency, security, and compliance in software development and distribution. If a customer is working with the US government, any SBOM solution provider should be compliant and incorporate all guidance from organizations such as the NTIA and CISA.