# Appendix B: References

The following resources may be useful to users and adopters of this standard:

### OWASP Projects

* [OWASP Packman](https://github.com/OWASP/packman)
* [OWASP Software Assurance Maturity Model (SAMM)](https://owasp.org/www-project-samm/)

### Community Projects

* [Open Source Security Foundation - Threats, Risks, and Mitigations in the Open Source Ecosystem](https://github.com/ossf/wg-identifying-security-threats/tree/main/publications/threats-risks-mitigations)

### Others

* [InnerSource](https://www.oreilly.com/library/view/adopting-innersource/9781492041863/ch01.html)
* [Cybersecurity Maturity Model Certification (CMMC)](https://www.acq.osd.mil/cmmc/)
* [NIST 800-53 Security and Privacy Controls for Federal Information Systems and Organizations](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf)
* [NIST 800-161 Supply Chain Risk Management Practices for Federal Information Systems and Organizations](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161.pdf)
* [NIST 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)&#x20;
* [NTIA Documents on Software Bill of Materials](https://www.ntia.doc.gov/SBOM)
* [Model Procurement Contract Language Addressing Cybersecurity Supply Chain Risk](https://www.eei.org/issuesandpolicy/Documents/EEI%20Law%20-%20Model%20Procurement%20Contract%20Language.pdf)
* [Guide on Cybersecurity Procurement Language in Task Order Requests for Proposals for Federal Facilities](https://www.pnnl.gov/main/publications/external/technical_reports/PNNL-28661.pdf)
* [Energy Sector Control Systems Working Group (ESCSWG)](https://www.energy.gov/sites/prod/files/2014/04/f15/CybersecProcurementLanguage-EnergyDeliverySystems_040714_fin.pdf)

### SBOM Formats

* [CycloneDX](https://cyclonedx.org/)
* [SPDX](https://spdx.org/)
* [SPDX XML](https://spdx-ccm.specchain.org/xsdccm/home)
* [ISO/IEC 19770-2:2015 (SWID)](https://www.iso.org/standard/65666.html)