2.5 Validate Firmware Software Bill of Materials (SBOM)

Here is the structured section for Clause 2.5 – Validate Firmware Software Bill of Materials (SBOM) documentation:

2.5 Validate Firmware Software Bill of Materials (SBOM)

Requirement Description:

Verify that each firmware maintains a Software Bill of Materials (SBOM) cataloging:

  • All third-party components

  • Their versions

  • Associated published vulnerabilities

DUT Confirmation Details:

(To be filled post-OEM confirmation)

DUT Software Details:

(To be filled post-review of software stack and components)

Hash Checksum Verification for DUT’s Software Image:

(To be recorded after integrity verification – typically SHA-256)

DUT Configuration:

(To include firmware/software versions, active services, modules enabled, etc.)

Pre-Conditions:

The vendor shall provide:

  • Complete SBOM documentation (including OSS and third-party binaries).

  • List of software libraries/frameworks with version information.

  • Organizational policy documentation for:

    • Tracking, evaluating, and patching third-party vulnerabilities.

    • Customer notification protocols for disclosed vulnerabilities.

    • Use of configuration management system (CMS) to maintain version control of firmware, libraries, patches, and fixes.

Test Plan Overview:

  • Total Test Cases: 3

  • Approach: Review of SBOM, policies, CMS integration, and vulnerability tracking.

  • Purpose: Ensure transparency, traceability, and proactive risk management in firmware lifecycle.

Test-bed Diagram with Interfaces and IP’s:

(Diagram to be attached or described post test-bed setup – showing test PC, DUT, update server, logging system, etc.)

PreviousTest 1NextTest 1-3

Last updated

Was this helpful?