The Software Bill of Materials (SBOM) Request Form allows Cisco customers with a Cisco.com account to receive SBOMs for Cisco software products. Cisco believes that SBOMs are a foundational element necessary to provide greater security and trust in all technology.
The information in Cisco's SBOMs is proprietary and confidential. Cisco customers are required to use SBOMs for valid software risk management purposes only. Customers should not share Cisco SBOMs with third parties except for their employees, affiliates, and contractors who require the information in the SBOM to perform their job tasks. Customers’ use of SBOM is subject to the SBOM Use Terms, which appear in the SBOM itself as well as at the bottom of the SBOM Request Form page.
Cisco SBOMs are formatted using the Software Package Data Exchange (SPDX) standard. SPDX is an international open standard (ISO/IEC 5962:2021) and an open source project hosted by the Linux Foundation.
For assistance filling out the SBOM Request Form, contact sbom-support@cisco.com.
Log in to your Cisco.com account, and open the Cisco SBOM Request Form. The Submitter Information fields will populate automatically. If the information in the form is incorrect, go to https://id.cisco.com/signin/register to update your information, then refresh the SBOM Request Form page.
There are three options for requesting an SBOM through this online form. If you are requesting SBOMs for more than one software image, you may use more than one option. You can include up to ten (10) SBOM requests in one submission. Do not submit a request for the same software image more than once.
This option is the simplest and quickest way to get an accurate SBOM. Paste the SHA-512 hash for your software image in the field. To enter multiple SHA-512 hash values, paste the hashes as a comma-delimited list or a newline-separated list. However, you are still limited to no more than 10 SBOMs in one form submission.
To get the SHA-512 hash for a software image, do the following:
In the Cisco SBOM Request Form, paste the SHA-512 hash into the field, and then click the Add to request button.
The request will appear in the Software Selected for SBOM Request section at the bottom of the page.
To request an SBOM for another software image, repeat the steps. You can request up to 10 SBOMs in one form submission.
To use this option, you must choose values for each of the three columns and enter additional software identification information.
To request an SBOM using this option:
The request will appear in the Software Selected for SBOM Request section at the bottom of the page.
To request an SBOM for another software image, repeat the steps. You can request up to 10 SBOMs in one form submission.
Use this option to request assistance with identifying your Cisco software product. SBOM requests that are made using this option will take significantly longer to fulfill than requests that are made using Option 1 or Option 2.
To request an SBOM using this option:
The request will appear in the Software Selected for SBOM Request section at the bottom of the page.
To request an SBOM for another software image, repeat the steps. You can request up to 10 SBOMs in one form submission.
Once you have added up to 10 requests, review the final list under Software Selected for SBOM Request. Then read the SBOM Use Terms, and click the Submit Request button. A pop-up window will open thanking you for your submission and listing your requests. Click OK to close it.
After submitting, you will receive an email verifying the request. All of the products for which you requested an SBOM will be listed, along with their assigned case IDs.
Do not reply to the email. If you have a question about your SBOM request, click the link with the appropriate case ID in the confirmation email. Doing so will open a new email with the request number in the Subject field. This email is the best way to ask questions or get an update on your SBOM request.
You will receive an email for each SBOM you requested that will include the link to download the SBOM. The files will be available for 72 hours from the time the email was sent. After that time, the files will become unavailable to download, and you will need to submit a new SBOM request.
The downloaded file is a zip file. After downloading, unzip the file. It will contain the following:
The following commands can be executed from the command line of your operating system to validate the SBOM to ensure it has not been modified or tampered with. These commands use the OpenSSL tool, which must be installed on your computer. Be aware that the specific options in the following instructions may or may not be available on the specific version of the tool you are using.
The following commands will need to be executed from the command line on your operating system:
where:
<sha-512.sig> is the file name of the signature file (which uses the extension .sig).
<sha-512.sig.bin> is the file name of the output file.
where:
<sha-512>.sig.bin is the filename used for the output file in the previous step.
<sha-512>.json is the filename of the provided SBOM file (which uses the extension .json).
If the output of the last command is the text Verified OK, the validation has been successful, and the SBOM has not been tampered with. If any other output is displayed, you should not use the SBOM. Follow the instructions in Validation Failure, and then submit a new SBOM request.
As an optional step, you can also validate the certificate that was used to sign the SBOM. Validating the certificate requires the OpenSSL tool, which must be installed on your computer. Be aware that the specific options in the following instructions may or may not be available on the specific version of the tool you are using. The signing certificate has been signed by one of Cisco's subordinated certificate authorities (CAs). All of Cisco's root CA certificates, subordinated CA certificates, and certificate revocation lists (CRLs) can be found at https://www.cisco.com/security/pki/.
To validate the signing certificate, do the following:
If the output is Cisco_Generic_SBOM_Signer.pem: OK, the signing certificate has been validated.
If SBOM validation fails, send an email to sbom-support@cisco.com. Attach the original SBOM zip file to the email. In your email, include which validation failed (SBOM or signature) and the output of each of the commands used during the validation process.