The following pages will guide device operators, on how to deal with SBOMs in practical manner.

Step 1: contact your supplier and inform them about your requirements for SBOMs

Step 2: set out procurement guidelines

Step 3: evaluate procurement proposals and proposed hardware & software

Step 4: evaluate SBOM and investigate dependencies

Step 5: integrate an automated vulnerability reporting system into the Security Operations Center

Step 6: exercise incidents on a regular basis

Step 7: ensure there is an automated update process in place