diff --git a/developer-workflow/sbom.rst b/developer-workflow/sbom.rst
index 756c17570..fbbd592ce 100644
--- a/developer-workflow/sbom.rst
+++ b/developer-workflow/sbom.rst
@@ -66,7 +66,7 @@ After gathering this information:
 
    * ``name`` for the project name.
    * ``SPDXID`` which will be ``"SPDXRef-PACKAGE-{name}"``.
-   * ``licenseConcluded`` for the SPDX license identifier of the project license.
+   * ``licenseConcluded`` must be ``NOASSERTION``.
    * ``versionInfo`` for the version of the project.
    * ``downloadLocation`` should be an HTTPS URL for the project download as an archive.
    * ``checksums[0].checksumValue`` and ``.algorithm`` will be the SHA-256
@@ -107,3 +107,35 @@ When removing a dependency:
    that correct package is removed from the SBOM.
 5. Commit the changes to :cpy-file:`Misc/sbom.spdx.json` and
    :cpy-file:`Tools/build/generate_sbom.py`.
+
+Updating external dependencies (``cpython-source-deps``)
+--------------------------------------------------------
+
+ .. note::
+   Only core developers can push to the ``cpython-source-deps`` repository.
+
+   For this repo to maintain integrity, pull requests from contributors are not accepted. Instead of a pull request,
+   contributors should
+   create an issue requesting the updated
+   version and then wait for a core developer to prepare the new version
+   before proceeding with the next steps below.
+
+Dependencies for Windows CPython builds are `stored in a separate repository
+<https://github.com/python/cpython-source-deps>`_ and then fetched during
+builds of CPython for Windows in the script :cpy-file:`PCbuild/get_externals.bat`.
+
+In this :cpy-file:`PCbuild/get_externals.bat`, the libraries to fetch are designated by ``{name}-{version}``
+Git refs being added to the ``libraries`` variable.
+SBOM tooling in the CPython repository matches these Git refs in order
+to build the :cpy-file:`Misc/externals.spdx.json` SBOM file.
+
+When updating external dependencies for a CPython branch:
+
+1. Push the update to the ``cpython-source-deps`` repository and
+   create a new Git tag.
+2. Update the entry for the project in ``get_externals.bat``.
+3. Run ``make regen-sbom`` or ``PCbuild/build.bat --regen``
+   in the CPython source repository.
+4. Use ``git diff`` to verify that the metadata (like version, download location)
+   in ``externals.spdx.json`` SBOM is updated as expected.
+5. Commit the changes and have them merged together.

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml'>
<head>
<title>pFad - Phonifier reborn</title>
<meta http-equiv='Content-Type' content='text/html; charset=utf-8' />
</head>
<body>
<h1>Pfad - The Proxy pFad of &#169; 2024 Garber Painting. All rights reserved.</h1>


<!-- Disclaimer -->
<p>Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.</p>
<br>
<p>Alternative Proxies:</p><p><a href="http://rainy.clevelandohioweatherforecast.com/php-proxy/index.php?q=https://patch-diff.githubusercontent.com/raw/python/devguide/pull/1280.diff" target="_blank">Alternative Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/index.php?u=https://patch-diff.githubusercontent.com/raw/python/devguide/pull/1280.diff" target="_blank">pFad Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v3index.php?u=https://patch-diff.githubusercontent.com/raw/python/devguide/pull/1280.diff" target="_blank">pFad v3 Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v4index.php?u=https://patch-diff.githubusercontent.com/raw/python/devguide/pull/1280.diff" target="_blank">pFad v4 Proxy</a></p></body>
</html>