On 9 July 2025, CERT-In published version 2.0 of its
Technical Guidelines on SBOM, QBOM & CBOM, AIBOM and HBOM. The SBOM section names 21 minimum data fields per component; the AIBOM section adds a model-and-dataset inventory most Indian SaaS teams have never produced. The guidelines are advisory today, but your enterprise buyers' procurement teams started asking for both in Q3 2025. This post is the 30-day sprint we run for clients — what an AIBOM actually contains, the CycloneDX tooling that generates it, and the evidence pack you hand an auditor.
09 Jul 2025
CERT-In v2.0 publication date
21
Minimum SBOM data fields per component
5
BOM types in scope (S/Q/C/AI/H)
30 days
Our sprint, discovery to evidence pack
## TL;DR — What does CERT-In's v2.0 actually require?
An SBOM is a machine-readable list of every software component you ship, with 21 fields each (name, supplier, version, license, known vulnerabilities, patch status, end-of-life date, checksum, and more). An AIBOM extends that to AI: the model, its training datasets, the ML frameworks, and the intended-and-prohibited use cases. Both are advisory under the guidelines, not yet mandatory law — but B2B buyers now treat them as table stakes.
## Why this matters now — August 2025
CERT-In's first BOM guidelines covered SBOM only. Version 2.0, dated 9 July 2025, widened scope to five bill-of-materials types: software (SBOM), quantum (QBOM), cryptographic (CBOM), AI (AIBOM), and hardware (HBOM). The document targets the "public sector, Government, essential services and organisations involved in software export and software services industry" — which is most Indian SaaS selling to banks, government, or EU customers.
The trigger for action is not the regulator. It is the buyer. A 35-person Pune SaaS client of ours got a vendor security questionnaire from a public-sector bank in August 2025 that asked, verbatim, for "a current SBOM in CycloneDX or SPDX format and, where AI/ML is used, an AIBOM." They had neither. We built both in three weeks. The legal analyses from
AZB & Partners and
MediaNama both flag the same thing: advisory now, procurement-driven immediately.
An SBOM answers "what open-source and third-party code is inside this product?" An AIBOM answers "what model, what data, and what guardrails are inside this AI feature?" CERT-In v2.0 wants both, in a format a machine can parse.
## What does an AIBOM look like? (The fields)
CERT-In's Table 10, "Minimum Elements of AIBOM," is the part teams have never seen before. Where an SBOM enumerates packages, an AIBOM enumerates the model and everything that shaped it. The four buckets below are the ones every AIBOM we ship has to fill.
🧠
Model identity
Model name, version, supplier, and license. If you call Claude or GPT-4 through an API, the "model" is a third-party component with its own provider and terms — it goes in the AIBOM exactly like an npm package goes in the SBOM.
📊
Dataset provenance
Origins and sources of training data, formats, known limitations, and whether the dataset is compliant with privacy and licensing rules. This is the field that ties an AIBOM to DPDP — data origin is now a documented artifact, not tribal knowledge.
🎯
Intended & prohibited use
The use cases the model is built for, and the ones the procuring organisation should avoid. CERT-In wants the "do not use this for medical diagnosis" line written down, so misuse is a contract breach, not a surprise.
🛡️
Security & vulnerabilities
Security requirements to protect model data and user information, plus known weaknesses — model poisoning, prompt injection, training-data leakage. This is the AI-specific risk surface an SBOM never captured.
## SBOM vs AIBOM: what goes in each?
The two documents overlap on identity and license fields and diverge sharply on everything AI-specific. If you are building a RAG chatbot or a voice feature, you produce both — the SBOM for your code, the AIBOM for the model and data layer. Here is the side-by-side we hand engineering teams.
| Field | SBOM (21 fields) | AIBOM (Table 10) |
| Component name & version | Every library, module, package | The model(s) and their versions |
| Supplier / author | Package maintainer, origin | Model provider (Anthropic, OpenAI, Meta, you) |
| License | MIT, Apache-2.0, GPL, proprietary | Model license + dataset license |
| Known vulnerabilities | CVEs, patch status, EOL date | Model poisoning, prompt injection, leakage |
| Integrity | Cryptographic checksum per component | Model card hash, dataset version hash |
| Data provenance | Not applicable | Training data origin, format, limitations |
| Usage restrictions | Field present, rarely populated | Intended use + prohibited use, mandatory |
| Privacy compliance | Indirect | Dataset DPDP/licensing compliance, explicit |
Format note: CERT-In accepts CycloneDX or SPDX. We standardise on CycloneDX because version 1.6 has first-class support for AI ModelCards and an ML-BOM type — one format covers both your SBOM and your AIBOM. See the
CycloneDX ML-BOM capability page and the
v1.6 release notes.
## The 30-day compliance sprint (copy this)
We run this as four weekly milestones. A two-engineer team clears it in 30 calendar days for a single product; multi-product orgs run it per repo. Each step has a verification you can check off before moving on.
1
Week 1 — Inventory & tooling
Install
Syft and
cdxgen. List every repo, container image, and deployed service. Decide the source of truth per artifact.
Verify: you can name every shippable artifact and the tool that will scan it.
2
Week 2 — Generate the SBOM in CI
Run syft dir:. -o cyclonedx-json=sbom.cdx.json on every build, or cdxgen -t js -o sbom.cdx.json for deep dependency trees. Wire it into GitHub Actions so the SBOM is a build artifact, not a one-off. Verify: a fresh build drops a dated CycloneDX file you can open.
3
Week 3 — Build the AIBOM
For each AI feature, fill the four buckets: model identity, dataset provenance, intended/prohibited use, security. cdxgen emits an AI/ML-BOM, and Hugging Face model scanners enrich it; for API models (Claude, GPT-4) you hand-author the model component. Verify: every model and dataset has a named owner and a license.
4
Week 4 — Vulnerability scan + evidence pack
Feed the SBOM to
Grype or Dependency-Track for a CVE report. Assemble the evidence pack (next section). Stamp it with the build commit and date.
Verify: an auditor can trace any component back to a source and a scan result.
## The DIY walkthrough: generate your first SBOM in 10 minutes
This runs on any machine with Docker or a code checkout. We tested these exact commands on a Node.js + Python repo in August 2025, Syft v1.27 and cdxgen v11.
1
Install Syft
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin — one binary, no runtime. Check it: syft version.
2
Scan your project to CycloneDX
From the repo root: syft dir:. -o cyclonedx-json=sbom.cdx.json. For a container, point at the image instead: syft myapp:latest -o cyclonedx-json=sbom.cdx.json. Open the JSON — every component now carries name, version, and a PURL identifier.
3
Run a vulnerability scan against it
grype sbom:sbom.cdx.json -o table reads your SBOM and lists CVEs with severity and fix versions. This is the "patch status" and "known vulnerabilities" the CERT-In fields ask for, generated automatically.
4
Generate the AI/ML-BOM with cdxgen
npm install -g @cyclonedx/cdxgen, then cdxgen -t python -o aibom.cdx.json on a repo that imports ML frameworks. cdxgen detects PyTorch, transformers, and Hugging Face references and seeds the ML-BOM. You then hand-fill dataset provenance and use-case fields — the tool can't read those from code.
Auto-submit to a dashboard: cdxgen can push every BOM to a
Dependency-Track server in CI, so your SBOM/AIBOM history is queryable instead of living in a folder nobody opens. Set it up once in Week 2 and the rest of the sprint feeds it automatically.
## What goes in the evidence pack?
An auditor or a buyer's security team does not want raw JSON. They want a short, dated package that proves the BOMs are current, scanned, and owned. This is the deliverable we hand over — the artifact that actually closes the procurement questionnaire.
- Current SBOM in CycloneDX 1.6 JSON, stamped with build commit hash and generation date
- AIBOM in CycloneDX ML-BOM format for every AI feature, with all four field buckets filled
- Vulnerability scan report (Grype or Dependency-Track) with severity and remediation status
- A one-page mapping of your fields to CERT-In's 21 SBOM elements and Table 10 AIBOM elements
- A named owner per component class and a refresh cadence (we recommend regenerating on every release)
- Dataset license and DPDP-compliance note for each training set, tying into your DPDP readiness audit
- Intended-use and prohibited-use statement per model, suitable for pasting into a contract annexure
## When NOT to chase full CERT-In compliance yet
The guidelines are advisory, and over-engineering this is a real failure mode. We have talked two clients out of a six-week BOM program they did not need. Here is when to slow down.
You sell only to small Indian businesses with no security questionnaire. If no buyer is asking and you are not in essential services or software export, a basic SBOM in CI is enough — skip the full AIBOM until a contract demands it. Build the muscle, not the paperwork.
You have no AI/ML in production. The AIBOM is for teams shipping models or model APIs. If your "AI" is a single ChatGPT link in your docs, you do not have an AIBOM obligation — you have an SBOM obligation, full stop. Do not invent model components that do not exist.
You treat it as a one-time PDF. The single biggest mistake: generating one SBOM by hand, emailing it, and calling it done. A BOM is true for exactly one build. If it is not regenerated in CI on every release, it is stale within a sprint and worse than useless in an audit.
## Real example: a 35-person Pune SaaS, three weeks to compliant
A Pune-based B2B SaaS firm (35 staff, HR-analytics product, one ML model for attrition scoring) got a public-sector bank's vendor questionnaire in August 2025 demanding an SBOM and an AIBOM. They had clean code and zero BOM artifacts. We ran the sprint in three weeks instead of four because their stack was a single Next.js + Python monorepo.
📦
SBOM in CI on day 4
Syft in GitHub Actions, CycloneDX output as a build artifact. 312 components inventoried, 9 with known CVEs — 7 patched in the same sprint.
🧠
AIBOM for the attrition model
Model identity, the HR dataset's provenance and DPDP note, intended use (internal attrition risk), prohibited use (no individual employment decisions), and model-poisoning controls.
📄
Evidence pack on day 19
A 6-page package mapping every field to CERT-In v2.0. The bank's security team cleared it without a follow-up call.
Outcome: The questionnaire closed in one pass, and the BOM pipeline now runs on every release with no manual work. The same pattern is one we apply across AI features — on our in-house voice app
TalkDrill (our English-speaking product, 5,000+ users), the AIBOM discipline of naming every model and dataset is built into how we ship.
As
Manvi, who leads our QA and compliance reviews, puts it: the AIBOM is just QA applied to your model supply chain — you would not ship code you cannot trace, so do not ship a model you cannot trace either. Our
AI & automation team bakes BOM generation into every delivery, and our broader
web engineering practice wires Syft into CI by default.
## FAQ
### Is CERT-In's SBOM/AIBOM guideline mandatory in 2025?
No. The v2.0 guidelines dated 9 July 2025 are advisory best practice, not law. They target public sector, government, essential services, and software export/services firms. The practical pressure comes from B2B buyers' security questionnaires, which began asking for SBOMs and AIBOMs in 2025.
### What is the difference between an SBOM and an AIBOM?
An SBOM lists every software component you ship — libraries, packages, modules — with 21 fields each. An AIBOM extends that to AI: the model, its training datasets, ML frameworks, and the intended and prohibited use cases. If your product has an AI feature, you produce both documents.
### Which format should I use, CycloneDX or SPDX?
CERT-In accepts both. We use CycloneDX 1.6 because it has native support for AI ModelCards and an ML-BOM type, so one format covers your SBOM and AIBOM. Tools like Syft and cdxgen emit CycloneDX JSON directly, and Dependency-Track ingests it.
### Do I need an AIBOM if I only call an external model API like Claude or GPT-4?
Yes, a light one. The model becomes a third-party component: you record its provider, version, license, and your intended and prohibited use cases. You do not control its training data, so you cite the provider's documentation for provenance rather than authoring it yourself.
### How long does it take to become compliant?
Our sprint is 30 calendar days with a two-engineer team for a single product. Generating a first SBOM takes about 10 minutes with Syft. The time goes into the AIBOM's dataset-provenance and use-case fields, the vulnerability remediation, and the evidence pack an auditor can actually read.
### What tools generate an SBOM and AIBOM for free?
Syft (Anchore) and cdxgen (OWASP) are the leading free, open-source generators; both emit CycloneDX. Grype scans the resulting SBOM for CVEs, and Dependency-Track stores BOM history. cdxgen also produces an AI/ML-BOM and detects ML frameworks in your code automatically.
### Does an AIBOM connect to DPDP compliance?
Directly. The AIBOM's dataset-provenance field forces you to document where training data came from and whether it meets privacy and licensing rules — which is the same evidence DPDP asks for. Building both together means you answer two compliance demands with one inventory.
Need an SBOM/AIBOM compliance pack built?
We run the full 30-day CERT-In v2.0 sprint for Indian SaaS — Syft and cdxgen in your CI, a complete AIBOM for every AI feature, a vulnerability scan, and an auditor-ready evidence pack. Typical fixed scope: ₹45,000–₹90,000 depending on product count. Suitable if a buyer has asked for an SBOM and you do not have one yet. No slides — just your stack and our honest take.
Book a 20-min Call
For the founder's first-person take on India's cybersecurity and regulation beat, see Vivek Singh's writing — Softechinfra was founded by Vivek Singh.