Create a guide for ML-BOM relative to CycloneDX v1.7 schema

ML-BOM/en/0x01-Frontispiece.md

@@ -6,33 +6,29 @@
 ## About the Guide
 CycloneDX is a modern standard for the software supply chain. It has been ratified as [ECMA-424](https://ecma-international.org/publications-and-standards/standards/ecma-424/) by Ecma International.
 
-The content in this guide results from continuous community feedback and input from leading experts in the software
-supply chain security field. This guide would not be possible without valuable feedback from the CycloneDX Industry
-Working Group (IWG), the CycloneDX Core Working Group (CWG), the many CycloneDX Feature Working Groups (FWG),
-Ecma International Technical Committee 54, and a global network of contributors and supporters.
+The content in this guide results from work of the CycloneDX AI/ML WoWork Group with continuous community feedback and input from leading experts in the field. This guide would not be possible without valuable feedback from peers at the CycloneDX Industry Working Group (IWG), the CycloneDX Core Working Group (CWG), the many CycloneDX Feature Working Groups (FWG), Ecma International Technical Committee 54, and a global network of contributors and supporters.
 
 ## Copyright and License
 
 ![license](../../images/license.svg)
 
-Copyright © 2025 The OWASP Foundation. 
+Copyright © 2026 The OWASP Foundation.
 
-This document is released under the [Creative Commons Attribution 4.0 International](https://creativecommons.org/licenses/by/4.0/).
-For any reuse or distribution, you must make clear to others the license terms of this work.
+This document is released under the [Creative Commons Attribution 4.0 International](https://creativecommons.org/licenses/by/4.0/). For any reuse or distribution, you must make clear to others the license terms of this work.
 
 <div style="page-break-after: always; visibility: hidden">
 \emptyparagraph
 </div>
 
-First Edition, 00 Month 2025
+First Edition, 05 February 2026
 
 <div style="page-break-after: always; visibility: hidden">
 \emptyparagraph
 </div>
 
 | Version        | Changes                    | Updated On | Updated By                   |
 |----------------|----------------------------|------------|------------------------------|
-| First Edition  | Initial Release            | 2025-xx-xx | CycloneDX Core Working Group |
+| First Edition  | Initial Release            | 2026-02-05 | CycloneDX AI/ML Working Group |
 
 <div style="page-break-after: always; visibility: hidden">
 \newpage

ML-BOM/en/0x02-Preface.md

@@ -1,29 +1,18 @@
 # Preface
 
-Welcome to the Authoritative Guide series by the OWASP Foundation and OWASP CycloneDX. In this series, we aim to
-provide comprehensive insights and practical guidance, ensuring that security professionals, developers, and
-organizations alike have access to the latest best practices and methodologies.
+Welcome to the Authoritative Guide series by the OWASP Foundation and OWASP CycloneDX. In this series, we aim to provide comprehensive insights and ractical guidance, ensuring that security professionals, developers, and organizations alike have access to the latest best practices and methodologies.
 
-At the heart of the OWASP Foundation lies a commitment to inclusivity and openness. We firmly believe that everyone
-deserves a seat at the table when it comes to shaping the future of cybersecurity standards. Our collaborative
-model fosters an environment where diverse perspectives converge to drive innovation and excellence.
+At the heart of the OWASP Foundation lies a commitment to inclusivity and openness. We firmly believe that everyone deserves a seat at the table when it comes to shaping the future of cybersecurity standards. Our collaborative model fosters an environment where diverse perspectives converge to drive innovation and excellence.
 
-In line with this ethos, the OWASP Foundation has partnered with Ecma International to create an inclusive,
-community-driven ecosystem for security standards development. This collaboration empowers individuals to contribute
-their expertise and insights, ensuring that standards like CycloneDX reflect the collective wisdom of the global
-cybersecurity community.
+In line with this ethos, the OWASP Foundation has partnered with Ecma International to create an inclusive, community-driven ecosystem for security standards development. This collaboration empowers individuals to contribute their expertise and insights, ensuring that standards like CycloneDX reflect the collective wisdom of the global cybersecurity community.
 
-One standout example of this model is OWASP CycloneDX, which has been ratified as an Ecma International standard and is 
-now known as ECMA-424. By leveraging the strengths of both organizations, CycloneDX serves as a cornerstone of security 
-best practices, providing organizations with a universal standard for software and system transparency.
+One standout example of this model is OWASP CycloneDX, which has been ratified as an Ecma International standard and is now known as ECMA-424. By leveraging the strengths of both organizations, CycloneDX serves as a cornerstone of security best practices, providing organizations with a universal standard for software and system transparency.
 
-As you embark on your journey through this Authoritative Guide, we encourage you to engage actively with the content
-and join us in shaping the future of cybersecurity standards. Together, we can build a safer and more resilient digital
-world for all.
+As you embark on your journey through this Authoritative Guide, we encourage you to engage actively with the content and join us in shaping the future of cybersecurity standards. Together, we can build a safer and more resilient digital world for all.
 
 ---
 
-Andrew van der Stock  
+Andrew van der Stock
 Executive Director, OWASP Foundation
 
 <div style="page-break-after: always; visibility: hidden">

ML-BOM/en/0x10-Introduction.md

@@ -1,10 +1,27 @@
 # Introduction
-CycloneDX is a modern standard for the software supply chain. At its core, CycloneDX is a general-purpose Bill of
-Materials (BOM) standard capable of representing software, hardware, services, and other types of inventory. CycloneDX 
-is an OWASP flagship project, has a formal standardization process and governance model through 
-[Ecma Technical Committee 54](https://tc54.org), and is supported by the global information security community.
 
-TODO
+CycloneDX is a modern standard for the software supply chain. At its core, CycloneDX is a general-purpose Bill-of-Materials (BOM) standard capable of representing software, hardware,  services, and other types of inventory.
+
+CycloneDX is notably an OWASP flagship project, has a formal standardization process and governance model through [Ecma Technical Committee 54](https://tc54.org), and is supported by the global information security community.
+
+## What is an ML-BOM?
+
+An ML-BOM (Machine Learning Bill-of-Materials) is a CycloneDX BOM document specialized to address the unique complexities and risks of AI/ML systems. It  provides a detailed inventory of all components, configurations, and processes involved in the development, training, deployment and hosting (i.e., via hardware/software stacks and frameworks) of a machine learning model.
+
+The primary purpose of an ML-BOM is to ensure transparency, traceability, security, and compliance throughout an ML model's lifecycle.
+
+
+### Why ML-BOMs are Important
+
+ML-BOMs address critical challenges in the machine learning supply chain:
+
+- **Security & Vulnerability Management**: Help  identify security risks, such as malicious (open-source) models or vulnerable dependencies, before they are integrated into production applications.
+
+- **Governance & Compliance**: Provide documentation for audits or formal informational requests based upon requirements from emerging global AI regulations such as the [European Union's Cyber Resilience Act (EU CRA)](https://www.european-cyber-resilience-act.com/), including specifics for AI models and systems from the complementary [EU AI Act](https://artificialintelligenceact.eu/), as well as for voluntary, guidance-focused frameworks such as the [NIST AI Risk Management Framework](https://www.nist.gov/itl/ai-risk-management-framework).
+
+- **Risk Mitigation**: Enable teams to track data lineage, helping to identify and eliminate potential data quality issues, privacy risks, or unwanted biases that could affect the model's performance and fairness.
+
+- **Reproducibility & Explainability**: Show adherence to software development lifecycle best practices by providing a detailed record of components and training processes such that developers are able to reproduce models (via training from datasets) and their benchmarks in order to validate claims of model accuracy and adherence to ethical considerations.
 
 <div style="page-break-after: always; visibility: hidden">
 \newpage

ML-BOM/en/0x15-Core-Concepts.md

@@ -0,0 +1,28 @@
+# Core Concepts and Considerations
+
+## Key Components of an ML-BOM
+
+An ML-BOM typically documents the identifying elements, architecture, components and its supply chain along with any configurations and developmental or executional considerations inclusive of the following areas:
+
+- **Model identifiers**: Identifying information such as the model's [Package URL (PURL)](https://tc54.org/purl/) (e.g., from Huggingface `pkg:huggingface/distilbert-base-uncased@043235d6088ecd3dd5fb5ca3592b6913fd51602`) or other domain-specific identifiers within other registries.
+
+- **Model metadata**: Descriptive details such as the model's name, version, license, developer, purpose, use cases, architecture, (hyper)parameters and any additional identifying elements.
+
+- **Model architecture**: Description of the  composition of the model's neural network including configurations, layers, input/output parameters, attention mechanisms, etc. used at network processing stages.
+
+- **Datasets**: Description of datasets, as CycloneDX data components, used for training and testing of the associated model. This includes data sources, selection criteria, acquisition methods, preprocessing steps and more.
+
+- **Tokenizers and prompt templates**: Descriptive details of specific tokenizers (e.g., libraries, files, configurations) and prompt templates used to train and/or interact with the model during runtime.
+
+- **Hardware, software & frameworks**: A list of all hardware and software components including libraries, packages, frameworks (e.g., TensorFlow, PyTorch, Huggingface), along with specific versions and associated licenses used in aspects of the model's lifecycle.
+This informational category may also include operational and application aspects of models (perhaps as agents) used within compositional frameworks and workflows along with the protocols used for communication.
+
+- **Training & testing details**: Information about the computational environment and systems (software, hardware, operating system, and GPUs) used for training or evaluation along with necessary configurations, hyperparameters, and evaluation metrics.
+
+- **Intended use & ethical considerations**: Documentation of the model's intended use, known limitations, safety guardrails, and ethical considerations.
+
+- **Environmental impacts**: Documentation of the resource needed to train or execute the model which have an environmental impact or cost (e.g., data center energy and water cooling cost details).
+
+<div style="page-break-after: always; visibility: hidden">
+\newpage
+</div>