Compliance
Interlynk supports multiple compliance frameworks to help organizations align SBOM practices with regulatory and industry standards. Administrators can enable frameworks, configure SBOM quality scoring, and manage compliance check rules.
Supported Compliance Frameworks
FDA
U.S. Food and Drug Administration requirements for medical device software
NTIA
National Telecommunications and Information Administration minimum elements for SBOMs
BSI
German Federal Office for Information Security (TR-03183) technical guidelines
PCI
Payment Card Industry Data Security Standard
SOC2
Service Organization Control 2 compliance
ISO 27001
International standard for information security management systems
NIST
National Institute of Standards and Technology cybersecurity framework
Enabling Compliance Frameworks
Navigate to Settings > Organization > Compliance.
Click the compliance configuration.
In the Applicable Compliance dropdown, select one or more frameworks.
Click Save.
You can enable multiple frameworks simultaneously. Each framework contributes its own set of check rules to SBOM analysis.
SBOM Quality Score
One compliance framework can be designated as the primary scoring framework:
Navigate to the SBOM Quality Score configuration.
Select a framework from the dropdown. Options include: None, PCI, SOC2, ISO 27001, NIST, FDA, NTIA.
Click Save.
Only one framework can be the active quality scorer at a time. BSI and Unspecified types are not available for quality scoring.
Mapping Vulnerabilities to Compliance Controls
Compliance frameworks define check rules that evaluate SBOMs against framework-specific requirements. These checks verify:
Required SBOM fields are present (supplier, version, timestamps).
Component identification meets minimum standards (package URLs, CPE identifiers).
Vulnerability data meets disclosure and tracking requirements.
License information is complete and accurate.
Compliance Check Rules
Each framework includes a set of predefined check rules. Administrators can manage these rules:
Navigate to Settings > Organization > Compliance > Checks.
The checks table displays:
Active
Toggle to enable or disable individual checks
Check ID
Numeric identifier for the check rule
Description
Short and long description of what the check evaluates
Severity
Impact level: Critical, High, Medium, Low
Toggle checks on or off to include or exclude them from SBOM analysis.
Change the severity level of a check by clicking the severity dropdown.
Severity Levels
Critical
SBOM fails a fundamental requirement
Missing mandatory fields, no supplier information
High
Significant gap in SBOM quality
Missing package identifiers for most components
Medium
Moderate quality issue
Incomplete license data, missing timestamps
Low
Minor issue or best-practice recommendation
Optional fields not populated
Reporting
SBOM Compliance Reports
Compliance check results are available at the SBOM level:
Each SBOM shows its compliance score as a percentage.
Individual check results (pass/fail) are listed with descriptions.
Failed checks include guidance on what is missing or incorrect.
Organization-Level Reporting
Organization dashboards aggregate compliance data across all products:
Overall compliance posture by framework.
Trend data showing compliance improvement over time.
Products with the lowest compliance scores.
Audit Exports
Compliance data can be exported for audit purposes:
SBOM downloads include compliance metadata when downloaded in CycloneDX or SPDX format.
Vulnerability data with VEX status, justification, and custom field values can be exported.
Check results provide evidence of SBOM quality for auditors.
To export SBOM data with compliance information:
Evidence Collection
For compliance audits, Interlynk provides evidence across several dimensions:
SBOM completeness
Compliance check results
SBOM detail view > Checks tab
Vulnerability management
VEX dispositions, triage history
Vulnerability detail view
Component provenance
Package URLs, supplier data
Component detail view
Policy enforcement
Policy scan results, violation history
Policy dashboard
Remediation tracking
Jira ticket status, VEX status changes
Ticketing settings, vulnerability logs
Change history
Activity logs, component vuln logs
Activity log views
Best Practices for Audits
Preparation
Enable the relevant compliance framework before generating SBOMs that will be audited.
Run SBOM checks on all products in scope to identify gaps before the audit.
Address critical and high-severity check failures — these represent the most impactful gaps.
Use VEX dispositions to document why specific vulnerabilities are not exploitable in your context.
During the Audit
Export SBOMs in the format required by your auditor (CycloneDX or SPDX).
Provide compliance check results as evidence of SBOM quality.
Show policy scan history to demonstrate ongoing enforcement.
Reference Jira tickets (via the Jira integration) to show remediation progress.
Ongoing Compliance
Enable SBOM checks by default in Environment Defaults so all new projects are automatically evaluated.
Create policies that enforce compliance minimums (e.g., fail if compliance score below 80%).
Set up notifications for compliance check failures to catch regressions early.
Review compliance scores monthly and track trends.
Common Misconfigurations
No compliance framework enabled
No compliance checks run, no scores displayed
Enable at least one framework in compliance settings
SBOM checks disabled in environment defaults
Compliance checks never execute
Enable "Run SBOM Checks" in Environment Defaults
All checks set to Low severity
Compliance failures do not trigger policies
Adjust severity levels to reflect actual risk
Multiple frameworks enabled but no quality scorer selected
No SBOM quality score displayed
Select a primary framework for quality scoring
Critical checks disabled
Fundamental gaps not flagged
Review disabled checks and re-enable any that are required by your audit scope
Recommended Best Practices
Enable the compliance framework that matches your regulatory requirements (e.g., FDA for medical devices, NTIA for U.S. government).
Start with all checks enabled and disable only those explicitly not applicable to your context.
Set the quality scoring framework to match your primary compliance driver.
Use policies with compliance-related conditions to automate enforcement.
Export and archive compliance evidence regularly, not just before audits.
Align custom field usage (see Vulnerability Custom Fields) with compliance categories for richer audit evidence.
Last updated