SBOM Request Form Instructions

Overview

The Software Bill of Materials (SBOM) Request Form allows Cisco customers with a Cisco.com account to receive SBOMs for Cisco software products. Cisco believes that SBOMs are a foundational element necessary to provide greater security and trust in all technology.

The information in Cisco's SBOMs is proprietary and confidential. Cisco customers are required to use SBOMs for valid software risk management purposes only. Customers should not share Cisco SBOMs with third parties except for their employees, affiliates, and contractors who require the information in the SBOM to perform their job tasks. Customers’ use of SBOM is subject to the SBOM Use Terms, which appear in the SBOM itself as well as at the bottom of the SBOM Request Form page.

Cisco SBOMs are formatted using the Software Package Data Exchange (SPDX) standard. SPDX is an international open standard (ISO/IEC 5962:2021) and an open source project hosted by the Linux Foundation.


Form Instructions

For assistance filling out the SBOM Request Form, contact sbom-support@cisco.com.

Submitter Information

Log in to your Cisco.com account, and open the Cisco SBOM Request Form. The Submitter Information fields will populate automatically. If the information in the form is incorrect, go to https://id.cisco.com/signin/register to update your information, then refresh the SBOM Request Form page.


Add Software Products to Your Request

There are three options for requesting an SBOM through this online form. If you are requesting SBOMs for more than one software image, you may use more than one option. You can include up to ten (10) SBOM requests in one submission. Do not submit a request for the same software image more than once.


Option 1: Enter Software Identification Information

This option is the simplest and quickest way to get an accurate SBOM. Paste the SHA-512 hash for your software image in the field. To enter multiple SHA-512 hash values, paste the hashes as a comma-delimited list or a newline-separated list. However, you are still limited to no more than 10 SBOMs in one form submission.

To get the SHA-512 hash for a software image, do the following:

  1. Find your software image in the Cisco Software Download Center. For instructions on navigating the Software Download Center, see Cisco Software Downloads Help & FAQ.

  2. Hover the mouse pointer over the image name. The Details window will appear.


  1. On the line that begins SHA-512 Checksum, click the clipboard icon on the right. The SHA-512 hash will be copied to your clipboard. Do not attempt to highlight and copy the hash. If you do so, you will only get part of the hash. To get the entire hash, click the clipboard.


In the Cisco SBOM Request Form, paste the SHA-512 hash into the field, and then click the Add to request button.


The request will appear in the Software Selected for SBOM Request section at the bottom of the page.

To request an SBOM for another software image, repeat the steps. You can request up to 10 SBOMs in one form submission.


Option 2: Select from Lists to Provide Partial Identification Information

To use this option, you must choose values for each of the three columns and enter additional software identification information.


To request an SBOM using this option:

  1. Select a product from the Select Cisco Product list. You can enter all or part of a product name into the field at the top to filter the products in the list. Once you have selected a product, the Select Cisco Platform list will populate to the right.

  2. Select a platform from the Select Cisco Platform list. You can enter all or part of a platform name into the field at the top to filter the platforms in the list. Once you have selected a platform, the Select Release list will populate.

  3. Select a software release from the Select Release list. You can enter all or part of a release number into the field at the top to filter the releases in the list.

  4. Enter information in the Enter Additional Software Identification Information field to help us determine the exact software image. Examples of helpful information include the output of the show version command, the name of the software image, or product identification information about the hardware that runs the software. This field is required.

  5. Click the Add to request button.


The request will appear in the Software Selected for SBOM Request section at the bottom of the page.

To request an SBOM for another software image, repeat the steps. You can request up to 10 SBOMs in one form submission.


Option 3: Provide Any Information You Have About the Product

Use this option to request assistance with identifying your Cisco software product. SBOM requests that are made using this option will take significantly longer to fulfill than requests that are made using Option 1 or Option 2.

To request an SBOM using this option:

  1. Enter the appropriate information in the four fields: Cisco Software Name, Cisco Platform, Cisco Version, and Additional Information. The more information you can provide—and the more accurate that information is—the more quickly we may be able to resolve your request.

  2. Click the Add to request button.

The request will appear in the Software Selected for SBOM Request section at the bottom of the page.

To request an SBOM for another software image, repeat the steps. You can request up to 10 SBOMs in one form submission.


Submit Your Request

Once you have added up to 10 requests, review the final list under Software Selected for SBOM Request. Then read the SBOM Use Terms, and click the Submit Request button. A pop-up window will open thanking you for your submission and listing your requests. Click OK to close it.


Confirmation Email

After submitting, you will receive an email verifying the request. All of the products for which you requested an SBOM will be listed, along with their assigned case IDs.


Do not reply to the email. If you have a question about your SBOM request, click the link with the appropriate case ID in the confirmation email. Doing so will open a new email with the request number in the Subject field. This email is the best way to ask questions or get an update on your SBOM request.

SBOM Delivery

You will receive an email for each SBOM you requested that will include the link to download the SBOM. The files will be available for 72 hours from the time the email was sent. After that time, the files will become unavailable to download, and you will need to submit a new SBOM request.

The downloaded file is a zip file. After downloading, unzip the file. It will contain the following:

  • The SBOM. This is a JSON file.
  • The signature for the SBOM. This is a SIG file.
  • The certificate containing the public key that was used to generate the SBOM's signature.

SBOM Validation

The following commands can be executed from the command line of your operating system to validate the SBOM to ensure it has not been modified or tampered with. These commands use the OpenSSL tool, which must be installed on your computer. Be aware that the specific options in the following instructions may or may not be available on the specific version of the tool you are using.

The following commands will need to be executed from the command line on your operating system:

  1. Extract the public key from the certificate file using the following command:
    openssl x509 -in Cisco_Generic_SBOM_Signer.pem -pubkey -noout > Cisco_Generic_SBOM_Signer.pub

  2. Convert the signature for the SBOM to binary using the following command:
    openssl enc -d -base64 -in <sha-512>.sig -out <sha-512>.sig.bin
  3. where:
    <sha-512.sig> is the file name of the signature file (which uses the extension .sig).
    <sha-512.sig.bin> is the file name of the output file.

  4. Validate the SBOM signature using the following command:
    openssl dgst -verify Cisco_Generic_SBOM_Signer.pub -keyform PEM -sha512 -signature <sha-512>.sig.bin <sha-512>.json
  5. where:
    <sha-512>.sig.bin is the filename used for the output file in the previous step.
    <sha-512>.json is the filename of the provided SBOM file (which uses the extension .json).

If the output of the last command is the text Verified OK, the validation has been successful, and the SBOM has not been tampered with. If any other output is displayed, you should not use the SBOM. Follow the instructions in Validation Failure, and then submit a new SBOM request.


Signing Certificate Validation

As an optional step, you can also validate the certificate that was used to sign the SBOM. Validating the certificate requires the OpenSSL tool, which must be installed on your computer. Be aware that the specific options in the following instructions may or may not be available on the specific version of the tool you are using. The signing certificate has been signed by one of Cisco's subordinated certificate authorities (CAs). All of Cisco's root CA certificates, subordinated CA certificates, and certificate revocation lists (CRLs) can be found at https://www.cisco.com/security/pki/.

To validate the signing certificate, do the following:

  1. Retrieve the Cisco root CA certificate "Cisco Root CA RSA4K 2099 (crca2099r4k) - PEM" at http://www.cisco.com/security/pki/certs/crca2099r4k.pem.

  2. Retrieve the Cisco subordinated CA certificate "Cisco Software Transparency SubCA (cswtsca) - PEM" at http://www.cisco.com/security/pki/certs/cswtsca.pem.

  3. Validate the signing certificate by using the following command at the command line of your operating system:
    openssl verify -verbose -CAfile crca2099r4k.pem -untrusted cswtsca.pem Cisco_Generic_SBOM_Signer.pem

If the output is Cisco_Generic_SBOM_Signer.pem: OK, the signing certificate has been validated.


Validation Failure

If SBOM validation fails, send an email to sbom-support@cisco.com. Attach the original SBOM zip file to the email. In your email, include which validation failed (SBOM or signature) and the output of each of the commands used during the validation process.