Cap Gemini 2021 Report on SBOMs

The Dutch CyberSecurity Center (NCSC) commissioned CapGemini Invent in 2020 to explore the state of the current landscape, the potential purposes, and uses of SBoM in a cybersecurity context. The research report from February 2021 describes the potential for software production, choosing and procurement, operating of software, and for SecDevOps. The general findings are:

1.            SBoM is gaining traction within the IT security world.

2.            SBoM is considered valuable for management IT security.

3.            Existence of an SBoM is considered as an indicator of IT product quality.

4.            Accepted data standards and tools are limited.

5.            Balance between SBoM detail versus practical usability is still under discussion.

6.            Not much standardization for the use of SBoM.

The results of this project contribute to a better understanding of new concepts and provide input for future projects and innovation in this field of interest.

While some of its findings today are still highly relevant, work has been done to increase the practicalities and developments of the data standards and standardization for the use of SBOM. More information and the full report can be downloaded from