PS.3.2: Collect, safeguard, maintain, and share provenance data for all components of each software release (e.g., in a software bill of materials [SBOM]).
Example 1: Make the provenance data available to software acquirers in accordance with the organization’s policies, preferably using standards-based formats.
Example 2: Make the provenance data available to the organization’s operations and response teams to aid them in mitigating software vulnerabilities.
Example 3: Protect the integrity of provenance data, and provide a way for recipients to verify provenance data integrity.
Example 4: Update the provenance data every time any of the software’s components are updated.
Description
Collect, safeguard, maintain, and share provenance data for all components of each software release (e.g., in a software bill of materials [SBOM]).