Request a software bill of materials from an engagement
Turn on SBOM collection on a due diligence request and send the external assessment to collect SBOM data from an engagement contact.
Before you begin
- Confirm that the following applications are installed for SBOM file collection:
- SBOM Core (sn_sbom_core)
- Data Model for SBOM (sn_sbom_dm)
- If your organization requires vulnerability details for SBOM components, confirm that the following additional applications are installed:
- SBOM Response (sn_sbom_resp)
- Vulnerability Response (sn_vul)
For more information see, Activate SBOM support.
- Confirm that the engagement uses the Smart Assessment Engine. SBOM collection isn't supported for Classic assessments.
- Inform the engagement contact that they will receive an external assessment requesting an SBOM file in JSON or XML format. The third party generates this file using their own tooling. The ServiceNow platform does not create or edit SBOM files.
Role required: sn_vdr_risk_asmt.vendor_risk_manager or sn_vdr_risk_asmt.vendor_risk_assessor
About this task
SBOM collection uses the standard third-party due diligence workflow and does not change onboarding or IRQ processes.
The engagement-level external assessment is the mechanism through which SBOM information is collected.
Procedure
-
Turn on SBOM collection for the engagement.
Option Steps New due diligence request - Initiate the due diligence request.
- Select SBOM required.
- Complete the request.
For details, see Request due diligence for a third-party engagement.
Existing due diligence request - Open the due diligence request.
- Select SBOM required.
- Save the record.
-
Send the external assessment to request the SBOM.
What to do next
After the external assessment is submitted, review the submission outcome. For details, see Review a software bill of materials submission from an engagement.