What is the combined purpose of SBOM and vendor risk management in Annex B?

The thing being tested is how SBOM and vendor risk management work together to secure the software supply chain. An SBOM provides a complete inventory of software components used in a product, listing each component, its version, licenses, and known vulnerabilities. This creates a clear map of what’s inside the software, so you can identify potential security gaps, license compliance issues, and exposure from vulnerable libraries or dependencies. Vendor risk management focuses on the security and reliability of your suppliers: assessing their security practices, governance, and ongoing risk, plus applying contractual controls and continuous monitoring to mitigate those risks. When you combine these approaches, you get both visibility into what’s inside your software and accountability for who supplied those parts. That dual view lets you remediate vulnerabilities more effectively, enforce secure development and procurement practices, and reduce overall supply-chain risk. The other options don’t fit because SBOM isn’t just about hardware, and it doesn’t eliminate the need for secure coding or replace vulnerability scanning. Instead, SBOM catalogs software components, and vendor risk management addresses supplier-related risks, working together to strengthen security.