The Software Bill of Materials (SBOM) has become an essential tool in modern software development. While it is often associated with managing security vulnerabilities, its significance extends far beyond cybersecurity. SBOMs are invaluable across various domains, from enterprise IT systems to embedded technologies such as smart home devices and industrial controllers. In today’s interconnected world, where applications grow increasingly complex and supply chains involve numerous third-party components, SBOMs serve as a foundation for transparency, accountability, and resilience.

What is an SBOM?

An SBOM is a detailed inventory of every software component within an application. Each entry in an SBOM provides critical information about the component, including its source, version, interdependencies, and any known vulnerabilities. These attributes are crucial not only for identifying security risks but also for maintaining transparency in the software supply chain. The value of an SBOM is particularly evident in critical infrastructure and systems that might serve as entry points for broader cybersecurity threats. Importantly, SBOMs are not static documents; they require regular updates and must be cross-referenced with vulnerability databases to ensure their continued relevance and efficacy.

The Regulatory Push for SBOM Adoption

Governments worldwide have recognized the importance of SBOMs and have introduced legislation to promote their adoption, particularly in sectors that impact public safety and critical infrastructure. In the United States, Executive Order 14028, signed by President Joe Biden in 2021, requires software suppliers to provide SBOMs for any software sold to the government. This mandate extends to cloud service providers and aims to enhance visibility into software development processes while establishing security standards. Although initially designed for government contracts, the order offers a framework that private organizations and developers of embedded systems can also adopt.

In the European Union, the Cyber Resilience Act (CRA), enacted in 2024, goes further by requiring cybersecurity compliance for all digital products sold within the EU. This legislation, which gives manufacturers until 2027 to prepare compliant products, emphasizes the importance of SBOMs throughout a product’s lifecycle. In the United Kingdom, the Product Security and Telecommunications Infrastructure (PSTI) Act, which came into force in 2024, focuses on consumer IoT devices and references global standards such as ETSI EN 303 645. Though narrower in scope than the EU’s CRA, the U.K.’s approach highlights SBOMs as a vital element in safeguarding consumer technology.

SBOM Beyond Security

While SBOMs are essential for addressing software vulnerabilities, they also provide significant value in other areas. They play a crucial role in software licensing audits, ensuring compliance with internal policies and external regulations. During mergers, acquisitions, or other due diligence processes, SBOMs enable transparency, helping organizations avoid potential legal or operational risks. Additionally, they are increasingly relevant for firmware management, a domain often overlooked in discussions about cybersecurity. Viktor Petersson, founder of the SBOM hub startup sbomify, has observed a growing interest in using SBOMs to address firmware vulnerabilities, particularly in areas such as BIOS research and binary releases.

SBOM Creation, Distribution, and Analysis

The lifecycle of an SBOM encompasses three main stages: (1) generation,  (2) distribution, and (3) analysis. The generation phase involves compiling the SBOM, which can be particularly challenging in environments that rely on continuous integration and continuous deployment (CI/CD). While automated tools for enterprise software development exist, tools tailored to the needs of embedded systems are still in their infancy. Distribution focuses on sharing SBOMs across supply chains to enhance security and transparency, while the analysis phase involves continuously monitoring components against vulnerability databases to address emerging risks.

Standardizing SBOM Formats

To maximize their utility, SBOMs rely on standardized formats that enable seamless sharing and analysis. Two prominent formats have emerged: CycloneDX, developed by the OWASP Foundation, and SPDX, supported by the Linux Foundation. CycloneDX takes a practical, real-world approach to SBOM creation, while SPDX offers a more theoretical framework. Although these formats have distinct strengths and limitations, there is potential for a unified meta-format that integrates the advantages of both, enabling broader adoption and compatibility.

Conclusion

The Software Bill of Materials is far more than a security tool. It is a cornerstone of modern software development, ensuring transparency, accountability, and operational efficiency across increasingly complex supply chains. As governments enforce stricter regulations and applications become more interconnected, SBOMs are set to play an even more vital role. Whether for protecting critical infrastructure, securing consumer devices, or ensuring compliance in enterprise environments, SBOMs are indispensable for navigating the challenges of the digital age.