Browse Skills

SBOM Lifecycle Drafter

    NIST CSF SBOM Governance Vulnerability Disclosure ID.AM
    Get Started with This Skill

    Overview

    Draft and maintain the SBOM Management Procedure aligned with NIST CSF 2.0 ID.AM. Covers ingestion, validation, and monitoring of SBOMs; Vulnerability Disclosure when NVD flags a component; and developer Attestation of Security. One extension tool, cyclonedx_schema_validator, runs on procedure drafts (to check they describe the right elements) and on SBOM JSON files (to verify CycloneDX or SPDX structure) so the documented process stays compatible with industry standards.

    Example Conversation

    You: We need an SBOM Management Procedure for NIST CSF 2.0 ID.AM. We ingest CycloneDX from our build pipeline and want a clear vulnerability disclosure process when the NVD flags a component. Include developer attestation.

    Agent: I’ll draft the procedure with scope, lifecycle (ingest → validate → monitor), vulnerability disclosure when a component is flagged by the NVD, and Attestation of Security. Then I’ll run cyclonedx_schema_validator on the procedure document to ensure it covers all required elements.

    Agent: I’ve written the procedure in SBOM-Management-Procedure.md. Running cyclonedx_schema_validator on it…

    Agent: Result of cyclonedx_schema_validator:

    === PROCEDURE COMPATIBILITY (CYCLONEDX/SPDX) === Result: PASS Document: SBOM-Management-Procedure.md All required procedure elements present: ingestion, validation, monitoring, CycloneDX/SPDX, vulnerability disclosure, attestation.

    The procedure passes. I can also run the validator on a sample SBOM file from your workspace to confirm the described ingestion is compatible with CycloneDX/SPDX schema.

    Output Excerpt

    After the agent drafts the procedure and runs the validator, the document typically includes scope, roles, the ingest–validate–monitor lifecycle, vulnerability disclosure, and attestation. Excerpt:

    # SBOM Management Procedure (NIST CSF 2.0 ID.AM)

## 1. Scope and ownership

This procedure applies to all third-party and internal software that is deployed or delivered. Procedure owner: Engineering and GRC. SBOMs are ingested from CI/CD (CycloneDX JSON) and from vendors (CycloneDX or SPDX JSON).

## 2. Lifecycle

**Ingestion** — SBOMs are accepted from build pipelines (CycloneDX) and from suppliers (CycloneDX or SPDX). Only JSON format is accepted; schema validation is performed before storage.

**Validation** — Each ingested SBOM is validated with the cyclonedx_schema_validator (or equivalent) to ensure compatibility with CycloneDX or SPDX before correlation with the NVD.

**Monitoring** — Stored SBOMs are correlated with the National Vulnerability Database (NVD) on a defined schedule. When a component is flagged by the NVD, the Vulnerability Disclosure process (Section 3) is triggered.

## 3. Vulnerability disclosure

When a component in an SBOM is flagged by the NVD: (1) Triage — confirm component/version and CVE applicability; (2) Remediate or document risk acceptance; (3) Update SBOM and re-validate; (4) Internal/external disclosure as per policy.

## 4. Attestation of Security

Developers (or suppliers) provide an Attestation of Security per release, stating that SBOMs are produced and current and that known critical vulnerabilities have been addressed or risk-accepted with justification.

    Running cyclonedx_schema_validator on this procedure would pass (ingestion, validation, monitoring, CycloneDX/SPDX, vulnerability disclosure, attestation all present). Running it on a sample sbom.json would validate the file’s CycloneDX or SPDX structure.

    Extension Tool and Validations

    The skill includes one validation tool that can run on either a procedure document (Markdown/text) or an SBOM file (JSON). Mode is inferred from the file path (.json → SBOM; otherwise → procedure).

    cyclonedx_schema_validator — Run on the procedure draft before finalizing, and on sample SBOM files to confirm the described ingestion is compatible with standards.

    When run on a procedure document:

    • Required elements — The tool checks that the text mentions:
      • Ingestion — How SBOMs are received (e.g. ingest, accept, receive).
      • Validation — Schema or format validation (e.g. validate, schema, cyclonedx_schema_validator).
      • Monitoring — Ongoing checks (e.g. monitor, NVD, vulnerability scan, correlate).
      • CycloneDX or SPDX — At least one standard (CycloneDX, SPDX, or “software bill of materials” and “standard”).
      • Vulnerability disclosure — Process when a component is flagged (e.g. vulnerability disclosure, NVD flag, disclosure process).
      • Attestation — Developer or supplier attestation (e.g. attestation of security, developer attestation).
    • Result — PASS only when all six elements are present; otherwise FAIL with a list of missing elements.

    When run on an SBOM file (JSON):

    • CycloneDX — Checks for bomFormat: "CycloneDX", specVersion (string), version (number), and components (array).
    • SPDX — If not CycloneDX, checks for spdxVersion (string, e.g. SPDX-2.x), dataLicense, SPDXID, name, and either packages or documentDescribes.
    • Result — PASS when the file has valid minimal CycloneDX or SPDX structure; FAIL with a short reason otherwise.

    Use the validator on the procedure first, then on sample SBOMs to ensure the documented process and actual artifacts align with industry standards.

    Getting Started

    Add your source materials to the project workspace, then activate the SBOM Lifecycle Drafter skill. The agent will guide you through scope, lifecycle, vulnerability disclosure, and attestation. Run cyclonedx_schema_validator on the procedure draft and on sample SBOM files before finalizing.

    Ready to let your expertise drive the workflow?

    Stop wrestling with rigid templates and complex tooling. Write your process in markdown, let the agent handle the rest.

    Get Started