diff --git a/.clomonitor.yml b/.clomonitor.yml
new file mode 100644
index 00000000..c93e60a7
--- /dev/null
+++ b/.clomonitor.yml
@@ -0,0 +1,19 @@
+# CLOMonitor metadata file
+
+# Checks exemptions
+exemptions:
+  - check: artifacthub_badge
+    reason: "Nephio artifacts are hosted on DockerHub" 
+
+  - check: signed_releases
+    reason: >
+      "All Nephio release images are cryptographically signed during build with cosign. 
+      Images and signatures are hosted in DockerHub. Naming convention is that signature 
+      filename is an image sha256 digest and the file extension is .sig
+      Scorecard check is currently limited to repositories hosted on GitHub,
+      and does not support other source hosting repositories."
+
+licenseScanning:
+  # In Nephio every PR is being tested for license compliance. Those include Fossology scan, Scancode-toolkit scan and 
+  # Lichen scan of produced binaries. The results of those scans are available at Prow site:
+  url: https://prow.nephio.io/
diff --git a/README.md b/README.md
index e8526a3a..aa85bf45 100644
--- a/README.md
+++ b/README.md
@@ -29,6 +29,10 @@ series and it's corresponding  [wiki pages](https://wiki.nephio.org/display/HOME
 If you wish to participate in building Nephio, please join our SIG meetings, or reach out to us on Slack. You may also want to peruse the [Nephio Planning](https://github.com/orgs/nephio-project/projects)
 project boards.
 
+## Software Bill Of Materials
+Release container images are digitally signed as well as have Software Bill Of Materials (SBOM) created for them. Both signature and sbom are stored in [DockerHub](https://hub.docker.com/u/nephio) as artifacts. 
+Naming convention is that filename is an image sha256 digest and the file extension is respectively .sig and .sbom
+
 ## Community
 
 Please see the following resources for more information: