What is the primary purpose of an SBOM and vendor risk management in Annex B?

Focus on visibility into what your software is made of and how its suppliers affect security. An SBOM, or Software Bill of Materials, creates a clear inventory of every component in a software product—every library, framework, and third-party module, with versions and origins. This visibility makes it possible to map components to known vulnerabilities and track which vendors supply each piece. When you combine that with vendor risk management, you’re not just looking at the software in isolation; you’re assessing the security posture and practices of the external suppliers who provide those components and services. Together, they support proactive supply‑chain security: identifying vulnerabilities in external software and services and managing risks tied to vendors, so you can prioritize patches, enforce appropriate controls, and reduce exposure. Other options miss the mark because they focus on internal training, API rate controls, or cryptographic key management in ways that don’t address the main goal of understanding and managing the security implications of outside software and supplier relationships.