Appendix B: References

The following resources may be useful to users and adopters of this standard:

OWASP Projects

• OWASP Packman
• OWASP Software Assurance Maturity Model (SAMM)

Community Projects

• Open Source Security Foundation: Threats, Risks, and Mitigations in the Open Source Ecosystem

Others

• InnerSource
• Cybersecurity Maturity Model Certification (CMMC)
• NIST 800-53 Security and Privacy Controls for Federal Information Systems and Organizations
• NIST 800-161 Supply Chain Risk Management Practices for Federal Information Systems and Organizations
• NIST 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
• NTIA Documents on Software Bill of Materials
• Model Procurement Contract Language Addressing Cybersecurity Supply Chain Risk
• Guide on Cybersecurity Procurement Language in Task Order Requests for Proposals for Federal Facilities
• Energy Sector Control Systems Working Group (ESCSWG)

SBOM Formats

• CycloneDX
• SPDX
• SPDX XML
• ISO/IEC 19770-2:2015 (SWID)