Over the past several years, regulators around the globe have begun issuing Software Bill of Materials (SBOM) requirements and standards in an effort to strengthen software security. SBOMs are a detailed inventory of all the components—open source, proprietary, and third-party—used in a software application. SBOMs provide visibility into software components and are a valuable tool for strengthening software supply chain security and traceability.  Why are regulators focusing on SBOMs now, and what does that mean for your software development practices?  This guide will take a look at SBOM requirements around the globe, their origins, and emerging global trends. Whether you’re a software developer or part of a security-focused team, staying updated on SBOM regulations is critical for compliance and safeguarding your software ecosystem. 

Why SBOMs Are Becoming a Must-Have

SBOM requirements didn’t emerge in a vacuum. They were born in response to two major software supply chain attacks, the most infamous of which was the SolarWinds attack of 2020. 

1. The SolarWinds Attack of 2020 

The SolarWinds attack marked a turning point in cybersecurity history. This sophisticated supply chain compromise impacted over 18,000 organizations, including multiple U.S. federal agencies. Attackers leveraged vulnerabilities in SolarWinds’ software updates to gain unauthorized access, demonstrating how a lack of visibility into source components could have devastating consequences.  The fallout from this attack placed a spotlight on SBOMs as a tool to identify and mitigate risks in software supply chains. By providing detailed inventories of software components, SBOMs have since emerged as a foundational element of secure software development practices. 

2. The Log4Shell Vulnerability 

Another major wake-up call came in late 2021 with the discovery of the Log4Shell vulnerability. This critical flaw in the widely-used Log4j library exposed organizations worldwide to potential exploitation. Many companies scrambled to assess their exposure, yet their lack of comprehensive SBOMs caused unnecessary delays in response times.  These incidents collectively underscored the critical importance of having a full inventory of software dependencies to identify vulnerabilities quickly and ensure timely remediation. 

The Evolution from Request to Requirement

Executive Order 14028 (2021)

Following the SolarWinds attack, the White House issued Executive Order (EO) 14028 on Improving America’s Cybersecurity in 2021. The EO required federal agencies to request SBOMs from software vendors. The National Telecommunications and Information Administration (NTIA) outlined the “Minimum Elements for an SBOM,” which include:

• Data fields (component name, version, supplier)
• Automation support for machine-readable formats
• Practices for SBOM updates and distribution

The mandate brought awareness to the necessity of SBOMs, but lacked strong enforcement mechanisms, serving as a framework for how to enforce SBOMs in the future. 

CISA Guidance (2024)

In 2024, the The Cybersecurity and Infrastructure Security Agency (CISA) expanded on the original guidance from the NTIA, issuing the framework: “Framing Software Component Transparency: Establishing a Common Software Bill of Materials (SBOM).” The CISA framing document is the most up-to-date guidance for how to build an SBOM, including direction on what to include in an SBOM and processes for SBOM creation and exchange. While the CISA guidance is not an enforcement directive, these recommendations have transformed into hardline requirements enforced by specific federal agencies, which we review below.

Key U.S. SBOM Requirements Today

FDA Cybersecurity in Medical Devices Requirements (2023)

In 2023, the FDA updated their guidance on “Cybersecurity in Medical Devices.” The FDA now requires medical device manufacturers to submit SBOMs during premarket reviews for “cyber devices” that connect to the internet or are sensitive to cybersecurity risks.  These SBOMs must include:

• Lifecycle information
• Vulnerability assessments
• Remediation plans

U.S. Army SBOM Directive (2024)

The U.S. Army SBOM Directive was released on August 16, 2024 and the SBOM requirements will take effect in February 2025. This directive was issued in the form of a memo detailing the Army’s strategy to mandate the inclusion of SBOMs in most new software contracts. Software contractors and subcontractors will need to supply SBOMs for nearly all software-related contracts, including commercial off-the-shelf (COTS) products.

PCI DSS 4.0 Standards (2024)

PCI DSS 4.0 governs payment card data security and encourages SBOM usage among payment processing software providers.

SBOM Compliance Requirements Around the Globe 

1. The European Union 

In 2024, the EU adopted the Cyber Resilience Act (CRA), a landmark regulation designed to ensure that hardware and software products with digital elements are secure before they are placed on the market. Under the CRA, manufacturers need to identify, address, and report on vulnerabilities within their products, including mandatory SBOM generation. The CRA covers a range of connected devices, from cameras and appliances within our homes to hardware and software deployed within critical infrastructure.

2. Germany

In 2023, Germany’s Federal Office of Information Security (BSI) adopted Technical Guideline TR-03183 on Cyber Resilience Requirements for Manufacturers and Products. TR-03183 provides detailed requirements for SBOMs with the goal of preparing manufacturers ahead of the upcoming enforcement of the CRA. The guideline specifies minimum fields of information and preferred formats for SBOMs, mirroring the standards set by the U.S. National Telecommunications and Information Administration (NTIA). 

3. The United Kingdom 

The UK’s National Cyber Security Centre (NCSC) encourages organizations to adopt SBOMs as part of their cybersecurity best practices. While not yet mandatory, NCSC has issued guidelines advocating for SBOMs to improve transparency and mitigate risks in software systems. 

4. Australia 

The Australian Cyber Security Centre (ACSC) has become a vocal proponent of SBOMs to enhance software supply chain security. Through comprehensive frameworks and recommendations, the ACSC encourages organizations to leverage SBOMs as a key defense mechanism against vulnerabilities.

5. Japan

Recognizing the global move toward SBOM adoption, Japan has launched proof-of-concept projects in collaboration with private industry players. The government plans widespread implementation by 2025, ensuring businesses have time to adapt. 

Industry-Specific SBOM Requirements 

Various industries face unique SBOM requirements to address specific challenges. 

• Healthcare: The FDA mandates thorough SBOMs given the critical implications of the breach of a medical device for patient health and safety. 
• Government Contractors: Compliance with Executive Order 14028 is essential for businesses working with federal agencies. 
• Critical Infrastructure: CISA guidance is paving the way for SBOM adoption in critical infrastructure like energy and transportation. 
• Automotive: Software-driven cars rely heavily on SBOMs to ensure compliance and enhance consumer safety.

What These SBOM Standards Mean for Organizations 

The global push for SBOMs reflects a shared understanding of their importance in reducing risk in the software supply chain. While requirements vary in scope, organizations across industries must prepare to align with emerging regulations.  Here’s how SBOMs provide real, functional value to businesses worldwide:

1. Improved Security 

By tracking software dependencies and components, SBOMs enable organizations to promptly identify and remediate vulnerabilities like Log4Shell or Heartbleed. 

2. Simplified Compliance 

Legal mandates such as the FDA Cyber Device Rule or the EU CRA mean SBOMs are increasingly non-negotiable for regulatory compliance. Enterprises that embed SBOM practices into their workflows are better equipped for compliance. 

3. Enhanced Transparency 

SBOMs foster trust between vendors and customers by offering a detailed view of software components. This transparency can serve as a competitive advantage in an increasingly security-conscious market. 

4. Proactive Risk Management 

SBOMs empower organizations to adopt a proactive approach to software security. By continuously monitoring and updating software inventories, businesses can stay ahead of risks.

Preparing for Compliance 

Adopting SBOMs involves several best practices to ensure proper implementation and alignment with regulatory requirements. 

Steps to Get Started 

1. Inventory Existing Software: Conduct a thorough review of existing software to identify components and dependencies. 
2. Select an SBOM Tool: Choose from industry-leading SBOM generation tools. Look for solutions that support multiple formats, such as SPDX and CycloneDX, as these are commonly recommended by global standards. 
3. Update Security Policies: Incorporate SBOMs into your organization’s software development lifecycle and establish policies for ongoing updates. 
4. Train Your Team: Ensure your development and security teams understand how to generate and manage SBOMs effectively.
5. Collaborate with Vendors: Require third-party vendors to provide SBOMs as part of contract negotiations. 

Businesses that take proactive steps to integrate SBOM practices can better secure their software supply chains while meeting compliance deadlines. 

Building the Future of Secure Software 

Much like the cybersecurity landscape itself, SBOM regulations are in a state of rapid evolution. Businesses that remain proactive, informed, and adaptive stand to gain the most from this shift toward transparency and accountability.