Choose how you want to learn this topic
SBOMs & Vulnerability Management video is in production
Subscribe to @funbirdllc on YouTube so you get notified the moment the video drops. In the meantime, read the full article below — it covers everything.
Already subscribed? Visit the channel
What Is a Software Bill of Materials (SBOM)?
A Software Bill of Materials is a formal, machine-readable inventory of all components, libraries, and dependencies that make up a software application. Think of it like a nutrition label for software — it tells you exactly what ingredients are inside. An SBOM lists every open-source library, third-party component, version number, license, and known vulnerability associated with a piece of software. For the CySA+ CS0-003 exam, SBOMs are covered in Domain 2 — Vulnerability Management — and you need to understand what they are, why they matter, and how Executive Order 14028 made them mandatory for federal software vendors.
Why SBOMs Matter — The Supply Chain Problem
The 2020 SolarWinds attack and the 2021 Log4Shell vulnerability both exploited the same fundamental problem — organizations had no visibility into what third-party components were running in their environments. With Log4Shell, thousands of organizations were vulnerable to CVE-2021-44228 but had no way to quickly identify which of their applications used the Log4j library because they had no SBOM. An SBOM solves this by giving security teams an instant answer to the question: do we use this vulnerable component anywhere? Without an SBOM, answering that question requires manually auditing every application — which takes days or weeks. With an SBOM, it takes minutes.
Executive Order 14028 — What CySA+ Expects You to Know
Executive Order 14028, signed in May 2021, fundamentally changed software security requirements for the US federal government. The key requirements you must know for the CySA+ exam are: all software vendors selling to the federal government must provide an SBOM for their products; software development must incorporate Software Composition Analysis into the CI/CD pipeline; known vulnerabilities must be disclosed; and federal agencies must adopt Zero Trust Architecture. The EO also established the concept of secure software development practices and made NIST SP 800-218 the Secure Software Development Framework reference standard. For the exam, know that EO 14028 is the policy driver behind SBOM adoption and that it applies specifically to federal software vendors, not all organizations.
Software Composition Analysis (SCA)
Software Composition Analysis is the automated process of identifying open-source and third-party components in a codebase and checking them against vulnerability databases for known CVEs. SCA tools integrate directly into CI/CD pipelines — tools like Snyk, OWASP Dependency-Check, and GitHub Dependabot scan every build and flag vulnerable dependencies before they reach production. The relationship between SBOM and SCA is important for the exam: SCA generates the data that populates an SBOM. SCA finds what components exist and what vulnerabilities they have. The SBOM is the formal document that records that inventory. You use SCA to create and maintain an SBOM, and you use the SBOM to rapidly assess exposure when new vulnerabilities are disclosed.
SBOM Formats — Know All Three
Three SBOM formats are recognized by NTIA and referenced on the CySA+ exam. CycloneDX is developed by OWASP and supports JSON and XML formats — it is the most widely adopted format for security use cases and is preferred for vulnerability management workflows. SPDX, the Software Package Data Exchange, is developed by the Linux Foundation and is an ISO standard (ISO 5962) — it is widely used in open-source compliance and license management. SWID Tags, Software Identification Tags defined in ISO 19770-2, are used primarily in enterprise environments for software asset management and patch management workflows. For the CySA+ exam, know that all three are valid SBOM formats and that CycloneDX and SPDX are the most commonly tested.
Vulnerability Prioritization — CVSS vs EPSS vs KEV
Not all vulnerabilities can be patched immediately — prioritization is essential. CVSS, the Common Vulnerability Scoring System, assigns a severity score from 0 to 10 based on the vulnerability’s characteristics — exploitability, impact, and scope. A CVSS score of 9 or higher is Critical. However CVSS alone has a major limitation — it scores the vulnerability in isolation without considering whether it is actually being exploited in the wild. EPSS, the Exploit Prediction Scoring System, addresses this by providing a probability score of how likely a vulnerability is to be exploited in the next 30 days. A vulnerability with a low CVSS score but high EPSS score should be prioritized over one with a high CVSS but zero exploitation activity. CISA’s Known Exploited Vulnerabilities catalog is the most actionable list — if a vulnerability appears in the KEV catalog it means it is actively being exploited and must be patched immediately in federal environments.
Key CySA+ CS0-003 Exam Takeaways
An SBOM is a machine-readable inventory of all software components, libraries, and dependencies. SBOMs solve the supply chain visibility problem demonstrated by SolarWinds and Log4Shell. Executive Order 14028 mandates SBOMs for federal software vendors and requires SCA in CI/CD pipelines. SCA generates the data that populates an SBOM — they work together, not independently. The three SBOM formats are CycloneDX, SPDX, and SWID — CycloneDX and SPDX are the most commonly tested. Vulnerability prioritization uses CVSS for severity scoring, EPSS for exploitation probability, and the CISA KEV catalog for confirmed active exploitation. Domain 2 covers 30 percent of the CySA+ CS0-003 exam — it is the second largest domain.
More CySA+ content on YouTube
Subscribe to @funbirdllc for weekly blue team walkthroughs, SOC labs, and CySA+ exam breakdowns.
▶ Subscribe to @funbirdllc
