CycloneDX v1.6: Now an Ecma International Standard

01 July 2024

OWASP is excited to announce that CycloneDX v1.6 has been officially ratified as an Ecma International standard, CycloneDX Bill of materials specification, following a decisive vote at the Ecma General Assembly on 26 June. This milestone sets the stage for CycloneDX Bill of materials being available as a global xBOM (Bill of Materials) standard for use across multiple domains. CycloneDX is proud to be an OWASP Flagship standards project, and in a community development model with Ecma International’s TC54, underscoring its importance and impact in the industry.

A Comprehensive Standard for the Software Supply Chain

CycloneDX v1.6 stands out as the global xBOM standard that holistically supports a wide range of assets, including software, services, hardware, firmware, AI/ML, and cryptography. This broad coverage is crucial in today’s complex and interconnected technology landscape, enabling organizations to achieve comprehensive visibility and management across their entire supply chain.

  • Software: Ensures detailed transparency and management of software components, vital for addressing security vulnerabilities and ensuring compliance.
  • Services: Covers third-party services, providing insights into potential risks and dependencies that could impact operational integrity.
  • Hardware and Firmware: Facilitates robust management and security of physical components and embedded systems, crucial for sectors like IoT and critical infrastructure.
  • AI/ML: Addresses the growing need to manage and secure machine learning models and data, essential for maintaining trust and performance in AI-driven applications.
  • Cryptography: Ensures secure handling and implementation of cryptographic assets, including Post-Quantum Cryptography (PQC) readiness as outlined in NIST SP 1800-38B. This is a fundamental aspect of protecting data integrity and confidentiality from evolving threats.

Ideal for Holistic Supply Chain and Advanced Cybersecurity Use Cases

CycloneDX v1.6 is specifically designed to meet the demands of holistic supply chain management and advanced cybersecurity use cases. By providing a detailed and comprehensive view of the entire supply chain, CycloneDX enables organizations to identify and mitigate risks effectively, ensuring resilience and security.

Unmatched License Support

One of the standout features of CycloneDX v1.6 is its advanced license support, which holistically helps to facilitate open-source license compliance and supports commercial license management and procurement scenarios. This capability is critical for organizations navigating the complexities of software licensing, ensuring compliance and optimizing procurement processes.

Wide Industry Support

CycloneDX has garnered wide industry support, with over 220 tools now supporting the standard. This extensive ecosystem demonstrates the trust and adoption by the industry, making CycloneDX a reliable and effective choice for organizations looking to enhance their supply chain security and management.

Quotes

The ratification of CycloneDX Bill of materials specification as an Ecma International standard is a testament to the effectiveness of the community model established by Technical Committee 54 (TC54). This model is a benchmark for future technical committees and the CycloneDX Bill of materials specification is just the beginning, with several other supply chain standards expected to emerge from TC54.

Samina Husain, Secretary General of Ecma International

CycloneDX Bill of materials specification recognition as an international standard is a testament to its robustness and wide industry adoption. It exemplifies the kind of innovative solutions the OWASP Foundation is proud to support.

Andrew van der Stock, Executive Director of the OWASP Foundation

The standardization of CycloneDX by Ecma International is a major milestone for the global technology community. This achievement highlights our commitment to creating secure, transparent, and manageable supply chains.

Steve Springett, Chair of the Ecma TC54 and Director of Product Security at ServiceNow

About Ecma Technical Committee (TC54)

The Ecma Technical Committee 54 (TC54) is responsible for drafting the CycloneDX Bill of materials specification and other related initiatives. Operating under a community development model, the committee is dedicated to standardizing core data formats, APIs, and algorithms that advance software and system transparency.

Among TC54’s ongoing projects is the standardization of Package URL (purl), a specification for identifying and locating software packages. This is crucial for managing dependencies and vulnerabilities across diverse software ecosystems. Another key initiative is the Transparency Exchange API, designed for the efficient sharing of supply chain artifacts and intelligence, further enhancing the security and transparency of supply chains.

For more information about TC54 and its initiatives, please visit https://tc54.org.

About Ecma International

Ecma International is a not-for-profit industry association of technology developers, vendors, and users founded in 1961 and dedicated to the standardization of Information and Communication Technology (ICT) and Consumer Electronics (CE). For over 60 years Ecma has actively contributed to worldwide standardization in information technology and telecommunications. More than 400 Ecma Standards and 100 Technical Reports of high quality have been published, more than two-thirds of which have also been adopted as International Standards and/or Technical Reports.

To learn more or to become a member, visit https://ecma-international.org.

About the OWASP Foundation

The OWASP Foundation is a nonprofit organization that works to improve the security of software. Through community-led open source software projects, over 260 local chapters worldwide, tens of thousands of members, and leading educational and training conferences, the OWASP Foundation is the source for developers and technologists to secure the web. For nearly two decades corporations, foundations, developers, and volunteers have supported the OWASP Foundation and its work. To learn more or to become a member, visit https://owasp.org.

For more information about CycloneDX v1.6 and its benefits, please visit https://cyclonedx.org.

CycloneDX Supporters

Apiiro
Bloomberg
Contrast Security
Ecma International
Fortress Information Security
IBM
IonChannel
Kondukto
Lockheed Martin
NowSecure
OWASP
Rezilion
ServiceNow
Sonatype