Compliance automation is a cornerstone of efficient and scalable security management, and CycloneDX Attestations provide the tools to make it a reality. By leveraging machine-readable standards and integrating OpenCRE, CycloneDX enables organizations to automate compliance processes from requirements mapping to evidence collection and evaluation. OpenCRE bridges the gap between disparate standards, facilitating seamless alignment and reducing duplication of effort.
CycloneDX’s compliance automation capabilities ensure faster feedback loops, fewer surprises during audits, and enhanced scalability. Organizations can confidently track, manage, and report on compliance in real-time, freeing resources to focus on innovation and risk reduction. CycloneDX not only simplifies compliance but also empowers organizations to transform it into a competitive advantage.
This example highlights the power of CycloneDX in enabling machine-readable standards and streamlining attestations through structured, interoperable data. It demonstrates how a requirement from the Secure Software Development Framework (SSDF) is mapped to an OpenCRE identifier (CRE:148-853). OpenCRE provides a mechanism to link similar or equivalent requirements across standards, allowing evidence substantiating conformance to one requirement to be reused across multiple standards. This capability is invaluable in industries such as finance, healthcare, and technology, where numerous overlapping standards must be adhered to. Governments worldwide also rely on frameworks like SSDF for ensuring secure software practices.
The integration of OpenCRE ensures that organizations can efficiently manage compliance and reduce redundancy. In this case, evidence attached to the SSDF requirement can seamlessly serve as proof of conformance for other standards sharing similar requirements, minimizing duplication of effort. This example illustrates how CycloneDX fosters interoperability and reusability, making it an essential tool for modern compliance workflows.
{
"bomFormat": "CycloneDX",
"specVersion": "1.6",
"serialNumber": "urn:uuid:fe247348-f2cd-4d20-b943-bd4b0772e385",
"version": 1,
"metadata": {
"manufacturer": {
"name": "National Institute of Standards and Technology",
"url": [
"https://www.nist.gov/"
]
},
"supplier": {
"name": "OWASP Foundation",
"url": [
"https://owasp.org/",
"https://cyclonedx.org/",
"https://github.com/CycloneDX/official-3rd-party-standards"
]
},
"licenses": [
{
"license": {
"name": "Fair Use of Other NIST Data/Works",
"url": "https://www.nist.gov/open/license",
"text": {
"encoding": "base64",
"content" : "VGhpcyBkYXRhL3dvcmsgd2FzIGNyZWF0ZWQgYnkgZW1wbG95ZWVzIG9mIHRoZSBOYXRpb25hbCBJbnN0aXR1dGUgb2YgU3RhbmRhcmRzIGFuZCBUZWNobm9sb2d5IChOSVNUKSwgYW4gYWdlbmN5IG9mIHRoZSBGZWRlcmFsIEdvdmVybm1lbnQuIFB1cnN1YW50IHRvIHRpdGxlIDE3IFVuaXRlZCBTdGF0ZXMgQ29kZSBTZWN0aW9uIDEwNSwgd29ya3Mgb2YgTklTVCBlbXBsb3llZXMgYXJlIG5vdCBzdWJqZWN0IHRvIGNvcHlyaWdodCBwcm90ZWN0aW9uIGluIHRoZSBVbml0ZWQgU3RhdGVzLiAgVGhpcyBkYXRhL3dvcmsgbWF5IGJlIHN1YmplY3QgdG8gZm9yZWlnbiBjb3B5cmlnaHQuCgpUaGUgZGF0YS93b3JrIGlzIHByb3ZpZGVkIGJ5IE5JU1QgYXMgYSBwdWJsaWMgc2VydmljZSBhbmQgaXMgZXhwcmVzc2x5IHByb3ZpZGVkIOKAnEFTIElTLuKAnSBOSVNUIE1BS0VTIE5PIFdBUlJBTlRZIE9GIEFOWSBLSU5ELCBFWFBSRVNTLCBJTVBMSUVEIE9SIFNUQVRVVE9SWSwgSU5DTFVESU5HLCBXSVRIT1VUIExJTUlUQVRJT04sIFRIRSBJTVBMSUVEIFdBUlJBTlRZIE9GIE1FUkNIQU5UQUJJTElUWSwgRklUTkVTUyBGT1IgQSBQQVJUSUNVTEFSIFBVUlBPU0UsIE5PTi1JTkZSSU5HRU1FTlQgQU5EIERBVEEgQUNDVVJBQ1kuIE5JU1QgZG9lcyBub3Qgd2FycmFudCBvciBtYWtlIGFueSByZXByZXNlbnRhdGlvbnMgcmVnYXJkaW5nIHRoZSB1c2Ugb2YgdGhlIGRhdGEgb3IgdGhlIHJlc3VsdHMgdGhlcmVvZiwgaW5jbHVkaW5nIGJ1dCBub3QgbGltaXRlZCB0byB0aGUgY29ycmVjdG5lc3MsIGFjY3VyYWN5LCByZWxpYWJpbGl0eSBvciB1c2VmdWxuZXNzIG9mIHRoZSBkYXRhLiBOSVNUIFNIQUxMIE5PVCBCRSBMSUFCTEUgQU5EIFlPVSBIRVJFQlkgUkVMRUFTRSBOSVNUIEZST00gTElBQklMSVRZIEZPUiBBTlkgSU5ESVJFQ1QsIENPTlNFUVVFTlRJQUwsIFNQRUNJQUwsIE9SIElOQ0lERU5UQUwgREFNQUdFUyAoSU5DTFVESU5HIERBTUFHRVMgRk9SIExPU1MgT0YgQlVTSU5FU1MgUFJPRklUUywgQlVTSU5FU1MgSU5URVJSVVBUSU9OLCBMT1NTIE9GIEJVU0lORVNTIElORk9STUFUSU9OLCBBTkQgVEhFIExJS0UpLCBXSEVUSEVSIEFSSVNJTkcgSU4gVE9SVCwgQ09OVFJBQ1QsIE9SIE9USEVSV0lTRSwgQVJJU0lORyBGUk9NIE9SIFJFTEFUSU5HIFRPIFRIRSBEQVRBIChPUiBUSEUgVVNFIE9GIE9SIElOQUJJTElUWSBUTyBVU0UgVEhJUyBEQVRBKSwgRVZFTiBJRiBOSVNUIEhBUyBCRUVOIEFEVklTRUQgT0YgVEhFIFBPU1NJQklMSVRZIE9GIFNVQ0ggREFNQUdFUy4KClRvIHRoZSBleHRlbnQgdGhhdCBOSVNUIG1heSBob2xkIGNvcHlyaWdodCBpbiBjb3VudHJpZXMgb3RoZXIgdGhhbiB0aGUgVW5pdGVkIFN0YXRlcywgeW91IGFyZSBoZXJlYnkgZ3JhbnRlZCB0aGUgbm9uLWV4Y2x1c2l2ZSBpcnJldm9jYWJsZSBhbmQgdW5jb25kaXRpb25hbCByaWdodCB0byBwcmludCwgcHVibGlzaCwgcHJlcGFyZSBkZXJpdmF0aXZlIHdvcmtzIGFuZCBkaXN0cmlidXRlIHRoZSBOSVNUIGRhdGEsIGluIGFueSBtZWRpdW0sIG9yIGF1dGhvcml6ZSBvdGhlcnMgdG8gZG8gc28gb24geW91ciBiZWhhbGYsIG9uIGEgcm95YWx0eS1mcmVlIGJhc2lzIHRocm91Z2hvdXQgdGhlIHdvcmxkLgoKWW91IG1heSBpbXByb3ZlLCBtb2RpZnksIGFuZCBjcmVhdGUgZGVyaXZhdGl2ZSB3b3JrcyBvZiB0aGUgZGF0YSBvciBhbnkgcG9ydGlvbiBvZiB0aGUgZGF0YSwgYW5kIHlvdSBtYXkgY29weSBhbmQgZGlzdHJpYnV0ZSBzdWNoIG1vZGlmaWNhdGlvbnMgb3Igd29ya3MuIE1vZGlmaWVkIHdvcmtzIHNob3VsZCBjYXJyeSBhIG5vdGljZSBzdGF0aW5nIHRoYXQgeW91IGNoYW5nZWQgdGhlIGRhdGEgYW5kIHNob3VsZCBub3RlIHRoZSBkYXRlIGFuZCBuYXR1cmUgb2YgYW55IHN1Y2ggY2hhbmdlLiBQbGVhc2UgZXhwbGljaXRseSBhY2tub3dsZWRnZSB0aGUgTmF0aW9uYWwgSW5zdGl0dXRlIG9mIFN0YW5kYXJkcyBhbmQgVGVjaG5vbG9neSBhcyB0aGUgc291cmNlIG9mIHRoZSBkYXRhOiAgRGF0YSBjaXRhdGlvbiByZWNvbW1lbmRhdGlvbnMgYXJlIHByb3ZpZGVkIGF0IGh0dHBzOi8vd3d3Lm5pc3QuZ292L29wZW4vbGljZW5zZS4KClBlcm1pc3Npb24gdG8gdXNlIHRoaXMgZGF0YSBpcyBjb250aW5nZW50IHVwb24geW91ciBhY2NlcHRhbmNlIG9mIHRoZSB0ZXJtcyBvZiB0aGlzIGFncmVlbWVudCBhbmQgdXBvbiB5b3VyIHByb3ZpZGluZyBhcHByb3ByaWF0ZSBhY2tub3dsZWRnbWVudHMgb2YgTklTVOKAmXMgY3JlYXRpb24gb2YgdGhlIGRhdGEvd29yay4="
}
}
}
]
},
"definitions": {
"standards": [
{
"bom-ref": "ssdf-1.1",
"name": "Secure Software Development Framework (SSDF) Version 1.1",
"description": "NIST Special Publication 800-218",
"version": "1.1",
"owner": "National Institute of Standards and Technology",
"requirements": [
{
"bom-ref": "ssdf-1.1-PO",
"identifier": "PO",
"text": "Organizations should ensure that their people, processes, and technology are prepared to perform secure software development at the organization level. Many organizations will find some PO practices to also be applicable to subsets of their software development, like individual development groups or projects.",
"openCre": [
"CRE:148-853"
],
"externalReferences": [
{
"type": "documentation",
"url": "https://csrc.nist.gov/csrc/media/Publications/sp/800-218/final/documents/NIST.SP.800-218.SSDF-table.xlsx#Groups!A1"
}
]
}
]
}
]
}
}