Exploring software bill of materials collection

Release version: Australia

Updated May 1, 2026

3 minutes to read

Summarize

Summarized using AI

Summary of Exploring software bill of materials collection

Third-party Risk Management (TPRM) in ServiceNow supports the collection of software bill of materials (SBOM) files during engagement-level due diligence. An SBOM is a structured inventory listing software components, libraries, and dependencies used in a product. These files are typically provided by third parties in JSON or XML format and are uploaded via the engagement’s external assessment.

Show full answer Show less

SBOM collection is supported only for engagements using the Smart Assessment Engine (SAE), not for classic assessments. Once submitted, TPRM parses SBOM files and associates component data with the engagement and related third-party records.

Users and Roles

Third-party risk assessor: Sends assessments, reviews submitted SBOM files, and accesses the SBOM workspace.
Third-party risk manager: Oversees SBOM collection across engagements and uses the information for risk evaluation, with SBOM workspace access.
Third-party administrator: Manages access and permissions for SBOM collection and review, with SBOM workspace access.
Third-party assessment reviewer: Views SBOM component records on engagement and third-party records but does not access the SBOM workspace.
Third-party contact: Receives external assessment requests and uploads SBOM files on behalf of their organization.

SBOM Collection Workflow

SBOM collection integrates with the standard due diligence process as follows:

An employee selects the "SBOM required" field on the due diligence request for an engagement using SAE.
The system automatically attaches an SBOM questionnaire template to the external assessment.
The third-party contact receives the assessment via the portal and uploads the SBOM file.
Uploaded files are sent to the SBOM API provided by Unified Security Exposure Management (USEM) for parsing.
If valid, parsed components are linked to the engagement and third-party records.
If parsing fails, the assessment reopens for resubmission.
If the third party declines to provide an SBOM, the assessment is closed.

Third-party risk managers review SBOM data within the engagement context to support risk decisions. The process can be configured to trigger SBOM collection based on custom evaluations or conditions.

Benefits

SBOM collection: Enables requesting software component data as part of due diligence.
Assessment activity and processing: Allows reviewing submitted SBOM files and processing status within engagements.
Parsed component records: Provides detailed software component declarations linked to engagements and third parties.
Vulnerability details: When combined with SBOM Response and Vulnerability Response applications, users can access vulnerability information related to declared components.

Next Steps

To implement and fully benefit from SBOM collection, ServiceNow customers should explore activating SBOM support, collecting and requesting SBOM data, reviewing submissions, and understanding SBOM records and relationships within Third-party Risk Management.

Third-party Risk Management (TPRM) collects software bill of materials (SBOM) files through engagement-level due diligence. This topic covers the users and workflow involved.

SBOM overview

A software bill of materials is a structured inventory file generated by a software vendor that lists the components, libraries, and dependencies used in a product. Third-party Risk Management supports collecting SBOM files as part of the due diligence process for third-party engagements.

SBOM files follow industry-standard formats. Third parties typically provide SBOM files in JSON format. XML formats are also supported. The third party generates and maintains SBOM files and uploads them through the engagement's external assessment for collection and processing. Third-party Risk Management collects, parses, and associates the submitted file with related records.

Important:

SBOM collection is supported only for engagements that use the Smart Assessment Engine (SAE). Classic assessments are not supported.

SBOM users

Table 1. Users
User	Description
Third-party risk assessor	Sends assessments to third-party contacts and reviews submitted and processed SBOM information for an engagement. Can access the SBOM workspace.
Third-party risk manager	Oversees SBOM collection across engagements and uses submitted information to support risk evaluation. Can access the SBOM workspace.
Third-party administrator	Configures access and permissions to support SBOM collection and review across engagements. Can access the SBOM workspace.
Third-party assessment reviewer	Can view SBOM component records on the engagement and third-party records. Does not have access to the SBOM workspace.
Third-party contact	Receives the engagement's external assessment through the portal and uploads an SBOM file on behalf of their organization.

SBOM workflow

The SBOM collection workflow runs as part of the standard due diligence process for a third-party engagement. When the SBOM required field is selected on the due diligence request and the engagement uses the SAE, the system automatically associates an SBOM questionnaire template with the external assessment for the engagement.

An employee at your organization requesting due diligence selects the SBOM required field on the due diligence request.
When the due diligence request advances to the due diligence stage, the system automatically associates the SBOM questionnaire template with the external assessment for the engagement.
The engagement contact receives the assessment through the third-party portal and uploads the SBOM file.
Post-assessment processing sends the file to the SBOM API, provided by Unified Security Exposure Management (USEM) (Unified Security Exposure Management). The outcome depends on the third party's response:
- If the file is valid, parsed component records are associated with the engagement and, where applicable, the related third-party record.
- If the file cannot be parsed, the assessment is reopened for resubmission.
- If the third party declines to provide an SBOM, the assessment is closed.
For details on each path, see Request a software bill of materials from an engagement.

For troubleshooting API processing issues, see the Unified Security Exposure Management (USEM) documentation.
The third-party risk manager reviews SBOM information in the engagement context.

Note:

After activating the required applications and using SAE-based due diligence, the automation attaches the default SBOM questionnaire when SBOM required is selected. Your organization can also configure which evaluations or conditions trigger SBOM collection.

SBOM benefits

Table 2. SBOM benefits
Benefit	Feature	Users
Request SBOM data as part of due diligence for a third-party engagement.	SBOM collection	Third-party risk assessor, third-party risk manager
Review submitted SBOM files and related processing activity in the engagement context.	Assessment activity and processing	Third-party risk assessor, third-party risk manager
Review parsed software component declarations for the engagement and, where applicable, related third-party context.	Parsed component records	Third-party risk assessor, third-party risk manager
If your instance has the SBOM Response and Vulnerability Response applications installed, access vulnerability details associated with declared SBOM components.	Vulnerability details	Third-party risk assessor, third-party risk manager

What to explore next

The following topics cover collecting and reviewing SBOM data in Third-party Risk Management:

Software bill of materials (SBOM)

Australia Governance, Risk, and Compliance