CycloneDX Attestations enable organizations to make formal, machine-readable statements of compliance, backed by evidence and aligned with industry standards. Attestations represent a commitment to transparency and accountability, ensuring that compliance claims are clear, traceable, and substantiated. By supporting counterclaims and mitigation strategies, CycloneDX accommodates the complexity of real-world compliance scenarios, promoting a nuanced understanding of adherence.
Through its structured approach, CycloneDX transforms compliance from a reactive process into a proactive strategy. Organizations can clearly articulate their compliance posture, collaborate more effectively with assessors, and provide assurances to stakeholders. This reduces misunderstandings and fosters a culture of trust and integrity in security and compliance practices.
| Property | Usage Description |
|---|---|
| assessors | Entities responsible for evaluating claims and evidence are defined here. They can include third-party organizations or internal teams and are uniquely identified with a bom-ref for traceability. |
| attestations | These are formal verification statements provided by evaluators. They include a mapping of requirements to claims and counterclaims, along with conformance scores, rationales, mitigation strategies, and confidence levels, ensuring a thorough assessment. |
| claims | Assertions or statements about a target are articulated here, supported by evidence or counter-evidence. They also detail mitigation strategies, reasoning, and optional external references to provide context for verification. |
| evidence | Supporting data or artifacts for assertions are detailed here. Attributes like classification, sensitive data, and attachment content ensure relevance and traceability to specific claims. |
| targets | The organizations, components, services, or other entities being assessed or referenced are identified here. They link claims, evidence, and attestations to specific stakeholders. |
| affirmation | This includes a formal certification statement from signatories, affirming the accuracy of the declaration. It supports both electronic and digital signatures, enabling legally binding attestations in applicable jurisdictions. |
{
"bomFormat": "CycloneDX",
"specVersion": "1.6",
"serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
"version": 1,
"declarations": {
"assessors": [
{
"bom-ref": "assessor-1",
"thirdParty": true,
"organization": {
"name": "Assessors Inc"
}
}
],
"attestations": [
{
"summary": "Attestation summary here",
"assessor": "assessor-1",
"map": [
{
"requirement": "requirement-1",
"claims": [ "claim-1" ],
"counterClaims": [ "counterClaim-1" ],
"conformance": {
"score": 0.8,
"rationale": "Conformance rationale here",
"mitigationStrategies": [ "mitigationStrategy-1" ]
},
"confidence": {
"score": 1,
"rationale": "Confidence rationale here"
}
}
],
"signature": {
"algorithm": "ES256",
"certificatePath": [ "MIIB...", "MIID..." ],
"value": "tqIT..."
}
}
],
"claims": [
{
"bom-ref": "claim-1",
"target": "acme-inc",
"predicate": "Predicate here",
"mitigationStrategies": [ "mitigationStrategy-1" ],
"reasoning": "Reasoning here",
"evidence": [ "evidence-1" ],
"counterEvidence": [ "counterEvidence-1" ],
"externalReferences": [
{
"type": "issue-tracker",
"url": "https://alm.example.com"
}
],
"signature": {
"algorithm": "ES256",
"certificatePath": [ "MIIB...", "MIID..." ],
"value": "tqIT..."
}
}
],
"evidence": [
{
"bom-ref": "evidence-1",
"propertyName": "internal.com.acme.someProperty",
"description": "Description here",
"data": [
{
"name": "Name of the data",
"contents": {
"attachment": {
"content": "Evidence here",
"contentType": "text/plain"
}
},
"classification": "PII",
"sensitiveData": [ "Describe sensitive data here" ]
}
],
"created": "2023-04-25T00:00:00+00:00",
"expires": "2023-05-25T00:00:00+00:00",
"author": {
"name": "Mary"
},
"reviewer": {
"name": "Jane"
},
"signature": {
"algorithm": "ES256",
"certificatePath": [ "MIIB...", "MIID..." ],
"value": "tqIT..."
}
},
{
"bom-ref": "counterEvidence-1",
"propertyName": "internal.com.acme.someProperty",
"description": "Description here",
"data": [
{
"name": "Name of the data",
"contents": {
"attachment": {
"content": "Counter evidence here",
"contentType": "text/plain"
}
},
"classification": "Public",
"sensitiveData": [ "Describe sensitive data here" ]
}
],
"created": "2023-04-25T00:00:00+00:00",
"expires": "2023-05-25T00:00:00+00:00",
"author": {
"name": "Mary"
},
"reviewer": {
"name": "Jane"
},
"signature": {
"algorithm": "ES256",
"certificatePath": [ "MIIB...", "MIID..." ],
"value": "tqIT..."
}
},
{
"bom-ref": "mitigationStrategy-1",
"propertyName": "internal.com.acme.someProperty",
"description": "Description here",
"data": [
{
"name": "Name of the data",
"contents": {
"attachment": {
"content": "Mitigation strategy here",
"contentType": "text/plain"
}
},
"classification": "Company Confidential",
"sensitiveData": [ "Describe sensitive data here" ]
}
],
"created": "2023-04-25T00:00:00+00:00",
"expires": "2023-05-25T00:00:00+00:00",
"author": {
"name": "Mary"
},
"reviewer": {
"name": "Jane"
},
"signature": {
"algorithm": "ES256",
"certificatePath": [ "MIIB...", "MIID..." ],
"value": "tqIT..."
}
}
],
"targets": {
"organizations": [
{
"bom-ref": "acme-inc",
"name": "Acme Inc"
}
]
},
"affirmation": {
"statement": "I certify, to the best of my knowledge, that all information is correct...",
"signatories": [
{
"name": "Tom",
"role": "CEO",
"signature": {
"algorithm": "ES256",
"certificatePath": [ "MIIB...", "MIID..." ],
"value": "tqIT..."
}
},
{
"name": "Jerry",
"role": "COO",
"organization": {
"name": "Acme Inc"
},
"externalReference": {
"type": "electronic-signature",
"url": "https://example.com/coo-sig.png"
}
}
],
"signature": {
"algorithm": "ES256",
"certificatePath": [ "MIIB...", "MIID..." ],
"value": "tqIT..."
}
},
"signature": {
"algorithm": "ES256",
"certificatePath": [ "MIIB...", "MIID..." ],
"value": "tqIT..."
}
},
"signature": {
"algorithm": "ES256",
"certificatePath": [ "MIIB...", "MIID..." ],
"value": "tqIT..."
}
}