Appendix B: References

The following resources may be useful to users and adopters of this standard:

OWASP Projects

• OWASP Packman

• OWASP Software Assurance Maturity Model (SAMM)

Community Projects

• Open Source Security Foundation - Threats, Risks, and Mitigations in the Open Source Ecosystem

Others

• InnerSource

• Cybersecurity Maturity Model Certification (CMMC)

• NIST 800-53 Security and Privacy Controls for Federal Information Systems and Organizations

• NIST 800-161 Supply Chain Risk Management Practices for Federal Information Systems and Organizations

• NIST 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

• NTIA Documents on Software Bill of Materials

• Model Procurement Contract Language Addressing Cybersecurity Supply Chain Risk

• Guide on Cybersecurity Procurement Language in Task Order Requests for Proposals for Federal Facilities

• Energy Sector Control Systems Working Group (ESCSWG)

SBOM Formats

• CycloneDX

• SPDX

• SPDX XML

• ISO/IEC 19770-2:2015 (SWID)