+DEV-13 Transparency about Software Components
---+DEV-13.01B
---+DEV-13.02B

1. Übersicht

DEV-13 Transparency about Software Components

DEV-13.01B

The cloud service provider ensures that, as part of the software development process, a list of software components is created, maintained, and kept up-to-date for every developed or integrated software component.

This criteria can be fulfilled via a sufficiently detailed list of software components. Sufficient detail means that the list allows the cloud service provider to identify all cloud services affected by any given known vulnerability. This criteria can also be fulfilled via a Software Bill of Materials (SBOM). The established rules of technology regarding the creation, maintenance, and utilisation of SBOMs, including their components and formats, is described in the current version of the BSI Technical Guideline TR-03183-2. Automated tools for generating, maintaining, and validating software component lists or SBOMs are recommended to ensure accuracy and integration into security and vulnerability management processes. Please note that it may not be necessary to store every version of the SBOM - just like in the other development processes for components - as long as the cloud service provider is able to keep track of the changes.

DEV-13.02B

The cloud service provider maintains a list of software components for integrated software components as well, except where such information is not available and cannot be produced with reasonable effort. The risk from these exceptions is treated according to SP-03.

This subcriterion only applies to integrated software components. If integrated software components are e.g. open-source and if this criterion is fulfilled via SBOMs, there may be cases where a SBOM is not available and cannot be produced with reasonable effort. Reasonable implies that changing this component to one that has a SBOM is economically not feasible. However, the risks from these exceptions are treated within the exception process (cf. SP-03).

1.1 Referenzen

1.2 Identifizierte Anforderungen

1.2 Related Regulation

2. Identifizierte Anforderungen

Anforderungen
Source	Anforderung

3. Related Regulations

Regulations
Source	Regulierung

Cloud Computing Compliance Criteria Catalogue (C5:2026) -
Copyright by Bundesamt für Sicherheit in der Informationstechnik (https://www.bsi.bund.de/)

https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Empfehlungen-nach-Angriffszielen/Cloud-Computing/Kriterienkatalog-C5/C5_2025/C5_2025_node.html