Effective compliance relies on robust evidence management, and CycloneDX Attestations provide a systematic way to handle this critical task. By enabling organizations to collect, document, and present evidence in a structured, machine-readable format, CycloneDX reduces the risks and inefficiencies associated with manual evidence handling. Organizations can link specific claims to verifiable evidence, providing auditors and assessors with a clear and defensible compliance trail.
CycloneDX’s evidence management capabilities ensure that organizations can meet both internal and external requirements with confidence. Whether collecting evidence for regulatory audits or providing proof of adherence to internal policies, CycloneDX simplifies the process, fosters trust, and promotes transparency.
| Property | Usage Description |
|---|---|
| data | Represents the content of the evidence, including its name, attachments, classification, and sensitive data details. The contents field may include embedded or linked files, such as text or binary data, along with metadata to describe its structure and purpose. |
| classification | The category or type of the data, such as PII (Personally Identifiable Information), defining its sensitivity or regulatory impact. |
| created | The timestamp indicating when the evidence was created. |
| expires | The timestamp specifying when the evidence becomes invalid or is no longer applicable. |
| author | The individual or entity that created the evidence. |
| reviewer | The individual or entity responsible for reviewing and validating the evidence. |
| signature | Cryptographic data verifying the authenticity and integrity of the evidence, including the algorithm, certificate path, and signature value. |
bom-ref identifiers, such as evidence-1, to reference specific evidence when making compliance or security claims. With BOM-Link, evidence can optionally reside in a separate BOM file from the attestations, enabling flexible access control. This separation allows organizations to restrict access to sensitive evidence while still sharing attestations, catering to scenarios with varying security and privacy requirements.{
"$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.6",
"serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
"version": 1,
"declarations": {
"evidence": [
{
"bom-ref": "evidence-1",
"propertyName": "internal.com.acme.someProperty",
"description": "Description here",
"data": [
{
"name": "Name of the data",
"contents": {
"attachment": {
"content": "Evidence here",
"contentType": "text/plain"
}
},
"classification": "PII",
"sensitiveData": [ "Describe sensitive data here" ]
}
],
"created": "2023-04-25T00:00:00+00:00",
"expires": "2023-05-25T00:00:00+00:00",
"author": { "name": "Mary" },
"reviewer": { "name": "Sanford" },
"signature": {
"algorithm": "ES256",
"certificatePath": [ "MIIB...", "MIID..." ],
"value": "tqIT..."
}
}
]
}
}