The Linux Foundation | 07 March 2023
The Linux Foundation, the nonprofit organization focused on fostering innovation through open
source, is excited to announce the launch of the Digital Bill of Materials (DBoM) Project. The DBoM Project's mission is to provide an open ecosystem for policy-enforced data source and attestation sharing. Possible supply chain intelligence use cases include Software Bills of Materials (SBOMs), Hardware Bills of Materials (HBOMs), Vulnerability Exploitability eXchange (VEX), manufacturing process-related data, custody, and data-sharing attestations.
A set of organizations at the leading edge of supply chain intelligence and security have joined together to support the launch of the DBoM Project. These include Unisys, Cybeats, Ceritas, DeltaDAO, and the National Manufacturing Institute of Scotland (NMIS), operated by the University of Strathclyde. Leading a global community representing all supply chain stakeholders, this founding group brings together the expertise, scale, and diversity necessary to continue this important work.
As evidenced by cybersecurity and pandemic-related disruptions, supply chain operations have impacted every individual and organization. Reliable, policy-based, standardized manners of sharing intelligence, such as SBOMs and HBOMs, have become a critical issue in recent years. The DBoM open attestation sharing infrastructure will provide a valuable means of sharing this information between supply chain partners.
The DBoM Node code was released as open source in December 2020 on GitHub. Working with public and private sector partners, the DBoM Project founding members developed use cases and proofs of concept (POCs) leading to this project launch.
In 2019, Unisys's Innovation team associates created a DBOM structure that would enable supply chain partners to attest to agreed supply chain data. Given the nature of supply chains, it warranted that this type of structure would best serve the industry as open source with the use of open standards. With this announcement, the DBoM Project will accelerate activities to support its mission.These include growing the community of DBoM contributors, collaborating on POCs for broader use cases, establishing labs, and hosting working groups.
“By collaborating with other companies on the Digital Bill of Materials (DBoM) open-source project, we will develop a common framework for ensuring the transparency and consistency in our suppliers’ software supply chain. At Unisys we are also evaluating other use cases such as
sharing ESG related information between partners in the supply chain of products and services”. - Dwayne Allen, CTO, Unisys Corporation
"The security and efficiency benefits of emerging supply chain intelligence such as Software Bill of Materials (SBOM) is driving the requirement for open source attestation sharing ecosystems
like the Linux Foundation Digital Bill of Materials (DBoM) Project represents. Cybeats is proud to join the Linux Foundation and such reputable organizations as represented in this release in
pursuing this important project and looks forward to contributing to the security of global supply chains." - Yoav Raiter, CEO Cybeats
“As DeltaDAO AG, we are fully committed to Gaia-X, a federated and transparent environment that will drive the European data economy of tomorrow. Part of this is giving users more control over their data and transparency about the composition of digital service offerings, a level of transparency we lack too often in today’s digital economy. Together with other members of the DBoM project, we can explore utilizing the DBoM approach to enable selective disclosure of security-related attributes where necessary, balancing the needs of transparency and security.” Kai Meinke, Co-Founder and Business Lead of DeltaDAO
“DBoM is the solution that the critical infrastructure sector needs; it provides uniformity and transparency in a cyberwarfare world where both are in short supply. Solutions that scale are the only solutions that matter, and in DBOM, the market has created its own peer-to-peer
mechanism. One of the most vital parts of the DBOM peer-to-peer standardization is its market and consortium origin; you can regulate to compliance, but only a market-generated solution
can ensure cybersecurity.” - John Taplett, Co-Founder of Ceritas
“Auditability – working on digital manufacturing solutions for the food & drink industry has presented a significant opportunity to reduce paper consumption, audit times and increase food quality through efficient capture and sharing of quality control data. NMIS sees data attestation enabled by the DBoM project as a key driver in increasing traceability without compromisingsensitive operational data while working toward net zero targets.” - Prof Andrew Sherlock, Director of Data-driven Manufacturing, NMIS
Learn more about and become involved with the DBoM Project by visiting the website dbom.io,
contacting us via email, or joining our discord server.
Media Contact: Noah Lehman (nlehman@linuxfoundation.org)