Downloading and Using the SBOM
Q: Why is Cisco providing SBOMs now?
A: In May 2021, the Biden Administration issued an Executive Order on Improving the Nation’s Critical Infrastructure (EO 14028), and the Office of Management and Budget published memoranda in support of this EO. We support the U.S. government’s directives related to Software Bills of Materials (SBOMs) to improve critical infrastructure cybersecurity and to address complex multidimensional cybersecurity challenges affecting the world. Two common themes emerge across these initiatives—the need to expand public/private partnerships and the need to improve transparency and information sharing.
Trust in technology is being undermined by a lack of software transparency. Recent cybersecurity attacks highlight the complexities of the software supply chain, as well as the lack of visibility into cascading risks accepted when operating today’s software. An SBOM, a machine-readable format for organizing metadata that describes the components from which software is built, can help provide greater transparency. Cisco supports industry adoption of SBOMs.
Learn more at https://www.cisco.com/c/en/us/about/trust-center/transparency.html.
Q: What data is in a Cisco SBOM?
A: Cisco SBOMs represent software images running on Cisco products, conform to version 2.3 or later of the SPDX specification, and have, at a minimum, the following SPDX data fields:
For information about SPDX data fields, see the more recent version of the specifications on the SPDX website.
Q: Where can I go to get additional information about Cisco’s SBOM Policy?
A: See https://www.cisco.com/c/en/us/about/trust-center/transparency.html.
For instructions on how to use the SBOM Request Form, see the instructions page.
For help with logging in to a Cisco.com account, see the Cisco Login and Account Help page.
A: Customers with valid Cisco.com accounts and current support contracts, as well as partners with valid Cisco.com accounts, can access the form to submit SBOM requests. To download an SBOM, a user must have accepted the following terms: 1) Cisco’s SBOM Use Terms, which they accept when they submit an SBOM request, and 2) Cisco’s End User License Agreement, which they accept in the Special File Access (SFA) tool when attempting to download an SBOM. SBOM requests will be qualified, and Cisco is leveraging the existing mechanisms in SFA to determine whether any country embargoes or other legal restrictions exist.
A: Use the SBOM Request Form to request an SBOM.
Q: Can I use my purchase order to identify software running on my products?
A: No. Cisco purchase orders do not identify which Cisco software images run on Cisco products.
Q: Can I use the SBOM Request Form to request SBOMs for Cisco on-premises products?
A: Yes. You can use the SBOM Request Form to request SBOMs for certain releases of on-premises software from Cisco that were released or modified by major version changes after September 14, 2022. This timeline is consistent with the scope of software referenced in the Office of Management and Budget Memorandum M-22-18.
Q: Can I use the SBOM Request Form to request SBOMs for Cisco cloud-based services?
A: Not at this time. The definition of SBOMs for cloud-based services is not clearly defined or agreed upon. Public/private partnerships and SBOM Standards Development Organizations, including the CISA SBOM Workstream on Cloud and Online Applications, are helping to define this.
Q: Why can I only request 10 SBOMs at a time?
A: To ensure that we can honor all requests, we are currently limiting each requestor to 10 per form submission.
Q: What should I do if I need more than 10 SBOMs?
A: Fill out the SBOM Request Form again to request additional SBOMs.
Q: Is there a place I can go to find SBOMs and download them without using the request form?
A: No. SBOMs are currently only available by request using the SBOM Request Form.
Q: I am a Cisco partner submitting an SBOM request on behalf of my customer. Do I need to know my customer's Cisco.com ID to submit the request?
A: You will need to enter the email address associated with your customer's Cisco.com account. That email address will receive the email with the link to the SBOM when it is ready to be downloaded, and your customer must log in to Cisco.com with the account associated with that email to download the SBOM.
Q: I need the SBOM information as part of a Request for Proposal (RFP) or Request for Quote (RFQ). How long in advance do I have to submit my request?
A: Submit your request as soon as possible to give Cisco the maximum amount of time to process it before your deadline.
Q: I need the SBOM information as part of an RFP or RFQ, but I don't know what software will be installed on the Cisco devices and therefore don't know which hash to get. What should I do?
A: If it is allowed by the purchaser, select an SBOM for a current software image and submit that with the proposal or quote. You can request an SBOM for the actual software after it is installed.
For instructions on how to use the SBOM Request Form, see the instructions page.
Q: What information do I need to provide to request an SBOM?
A: Once you have logged in to Cisco.com, you will need to provide specific information about your software product. This is the only way that Cisco can identify your software product and ensure that you receive the correct SBOM.
Q: Why does the SBOM Request Form require so much information about my software?
A: Cisco has released thousands of software images. A given piece of hardware may be running one of a number of releases of software. We require specific information about your product to ensure that you receive the correct SBOM.
Q: How do I get the hash for my software?
A: See Option 1: Enter Software Identification Information in the SBOM Request Form Instructions.
Q: What if I cannot provide the hash for my software image?
A: Use Option 2: Select from Lists to Provide Partial Identification Information on the SBOM Request Form.
Q: What do I do if my hash cannot be found?
A: Use Option 2: Select from Lists to Provide Partial Identification Information or Option 3: Provide Any Information You Have About the Product on the SBOM Request Form.
Q: What if I am unsure about which product, platform, or release I should choose?
A: Rather than selecting entries that you are unsure of, use Option 3: Provide Any Information You Have About the Product on the SBOM Request Form. Provide as much product information as you have in the text box, including any product name, platform, and release information. The product ID (PID) and the output of the show ver command would be helpful as well. A Cisco subject matter expert (SME) will use the information that you provide to determine the correct SBOM. The SME may contact you to get additional information. We will provide an SBOM once we can correctly identify the product.
Q: The product, platform, or release that I need to select is not one of the options presented. What do I do now?
A: Use Option 3: Provide Any Information You Have About the Product on the SBOM Request Form.
Q: How can I get the status of my request?
A: Customers can inquire about the status of an SBOM request by sending an email to sbom-request-reply-in@cisco.com. Include the request case ID in the Subject of the email. In the body of the email, state that you are inquiring about the status of your request.
Q: I submitted my request a long time ago. Is there an escalation process that can speed up the SBOM's delivery?
A: Customers can request an escalation by sending an email to sbom-request-reply-in@cisco.com. Include the request case ID in the Subject of the email. In the body of the email, state that you are inquiring about the status of your request.
Q: It has been more than 72 hours since I received the email notifying me that the download for my requested SBOM was available, and now the link no longer works. What should I do?
A: Use the SBOM Request Form to request the same SBOM. Its delivery will be accelerated.
Q: I clicked the link to get the SBOM that I requested. How do I download the SBOM?
A: Click the arrow that is pointing down on the right side of the page.
A: See the instructions for SBOM validation.
Q: Why doesn't the SHA-512 hash on the download page match the hash that I provided on the SBOM Request Form?
A: You have received a zipped SPDX+SIG file. The hash displayed is the hash for that file, not for any of the images for which you requested an SBOM.
Q: When I try to download the SBOMs, I get the following message: "In order to download software, please confirm that you have read and agree to be bound by the terms of the Cisco End User License Agreement and any Supplemental Terms, if applicable." Why do I have to accept a EULA to download the SBOMs?
A: An SBOM is considered an element of software and contains confidential information that cannot be accessed except under confidentiality obligations, which are presented in Cisco’s EULA. Users are required to accept both Cisco’s EULA (as displayed by the Special File Access tool when attempting to download an SBOM) and the additional SBOM Use Terms (as presented on the SBOM Request Form).
Q: I've downloaded some files through the provided links, and when I unpack them, I get many SPDX and SIG files. What are those for?
A: The SPDX files are the SBOMs. Open them to get information about which SBOM goes with which image. The SIG file is a detached signature to verify the authenticity of the SBOMs and prove that they haven't been tampered with.
Q: I compared the SBOM I got from Cisco to an SBOM that I generated myself or that was provided by a third party. They don't match. How can that be?
A: Cisco produces SBOMs using numerous methods, including binary scanning, source code analysis, package management and inventory tools, and other commercial and proprietary tools. Each SBOM is then reviewed and curated by technical experts from the appropriate product development team to improve correctness and completeness. Automated, commercial, off-the-shelf tools that generate an SBOM from a binary file might not produce SBOMs with the same quality and completeness as Cisco’s internal SBOM generation process.
Q: I need to talk to someone at Cisco about the differences between the SBOM I got from Cisco and one I got from another source or that I generated myself. How do I do that?
A: Customers can request a review of the differences by emailing sbom-request-reply-in@cisco.com. Put the SBOM request case ID in the Subject line and provide the differences in the body of an email.
Q: I've reviewed the SBOM contents, and I believe they may be incomplete or inaccurate. How can I provide this feedback to get it corrected?
A: Customers can report errors in an SBOM by emailing sbom-request-reply-in@cisco.com. Put the SBOM request case ID in the Subject line and list the errors in the body of an email.
Q: The SBOM I received is for a different product or product version than the one I requested an SBOM for. What should I do now?
A: Report this by emailing sbom-request-reply-in@cisco.com. Attach the SBOM to the email and put the SBOM request case ID that you received when you submitted the original request in the Subject line.
Q: How can I get security vulnerability information for an SBOM?
A: You can request Vulnerability Exploitability eXchange (VEX) statuses through the Cisco Vulnerability Repository (CVR).
Q: Which format is Cisco using to provide SBOMs?
A: SBOM information is provided in JSON-based SPDX format.
Q: I tried to import the SBOM into my homegrown or commercial tool, and I got an error about an invalid format. Who can I contact to get help with this problem?
A: Report this problem by emailing sbom-request-reply-in@cisco.com. Attach the SBOM to the email and put the SBOM request case ID that you received when you submitted the original request in the Subject line.
Q: Can I get the SBOM in another format, such as .csv or .txt?
A: No. Cisco SBOMs are only produced in SPDX format. If you need to view the SBOM in another format, use a third-party tool.
Q: In response to my SBOM request, I received the following message: "We cannot determine for which Cisco product you are requesting an SBOM." How can it be that Cisco cannot determine the product?
A: If you provided an image hash, it may be that the hash was incomplete or modified, or it did not come from the Details pop-up dialog on the Software Download Center. If you used Option 3, there may not have been enough information provided to identify a specific image.
Q: My SBOM request was denied because "it falls outside the EO (Executive Order) window." What is the "EO window?"
A: The Office of Management and Budget Memorandum M-22-18 was issued on September 14, 2022 in furtherance of the Executive Order (EO) on Improving the Nation’s Critical Infrastructure, and the requirements in the memorandum apply to software developed or modified with major changes after that date. The SBOM Request Tool was built to ensure Cisco can meet customer requirements under the EO and is tied to timelines for software covered under the EO.