SBOM Vendor Management
Vendor Onboarding
Onboard your supply chain vendors and their respective SBOMs in a centralized, secure repository. Comply with the Presidential Executive Order of May 2021 on securing your software supply chain. Capture your vendor’s SBOM self-attestation forms, as well as ingest, store, and manage your vendor’s SBOMs through a single dashboard view.
SBOM Illumination
Quickly identify key risk and vulnerabilities within your vendor’s SBOMs, as defined by organizations such as Cybersecurity and Infrastructure Security Agency (CISA). Assess and score the risk associated with your vendor’s SBOMs, including vulnerabilities, licenses, contributors / communities, and dependencies.
SBOM Registry
Keep SBOMs in a centralized repository for visibility into the performance of all your vendors. Quickly identify if a new vendor is compliant with their respective SBOMs, per government requirements, and determine if their SBOMs pose a threat to your applications, with either known or new vulnerabilities. Secure your SBOM data as per the CMMC 2.0 requirements, particularly with Confidential Unclassified Information (CUI).
Manage SBOMs From Your Supply Chain Vendors (and your own SBOMs)
Manage, assess, store and monitor all your vendor’s SBOMs in one secure, centralized dashboard to improve supply chain security.
SBOM Assessment
Determine if your vendor’s SBOMs are compliant with key government minimum requirements from organizations such as the U.S. Federal Government’s National Telecommunication and Information Administration (NTIA). Assess if SBOM is acceptable with three key categories: data fields, data formats (e.g., SPDX, CycloneDX, SWID) and practices/processes.
SBOM Monitoring
Continuously monitor all your vendor’s SBOMs, receive risk alerts on known and new vulnerabilities contained within these SBOMs, receive key remediation recommendations, while assessing your vendor’s SBOM performance over time through SettleTop’s SBOM Registry. Securely integrate and manage data, whether in an open or closed, such as a Sensitive Compartmented Information Facility (SCIF), environment.
SBOM Forensics
Audit non-compliant vendors, particularly within mission critical programs as per the Federal Acquisition Supply Chain Security Act (FASCSA). Conduct in-depth analysis into code quality, app security, open source composition, secrets, infrastructure as code and many other risk areas. Leverage both SAST and DAST tools from a spectrum of open-source and commercial market players.