FedRAMP (Federal Risk and Authorization Management Program) is a U.S. government initiative that standardizes security assessments for cloud services used by federal agencies.
SBOMs (software bill of materials) are not explicitly required under the current FedRAMP Rev5 baselines. However, they can assist in achieving compliance — and they may soon become a concrete requirement under the proposed FedRAMP 20x.
FedRAMP 20x is an initiative (announced in March of 2025) that aims to make the FedRAMP approval process significantly more efficient. The core principle is embracing automation throughout the approval process — FedRAMP has a stated goal of enabling automated validation for 80-plus percent of requirements — including machine-readable evidence wherever possible.
It’s logical, then, that the proposed FedRAMP 20x introduces an SBOM requirement to assist in understanding and managing third-party software supply chain risks. In this blog, we’ll analyze details of the proposed requirement, including its implementation timeline and steps CSPs can take now to prepare.
SBOMs and the Current FedRAMP Rev5
Like we mentioned, SBOMs are not a requirement in the existing FedRAMP Rev. 5 controls (regardless of whether the CSP falls into the high, medium, or low impact baseline). However, they can be useful in supporting compliance across several control areas. These include:
-
Asset Inventory: FedRAMP requires maintaining an up-to-date inventory of system components (Requirement CM-8: System Component Inventory). SBOMs, of course, can be used in support of maintaining this complete asset inventory. CM-8 applies to all FedRAMP baseline levels.
-
Software Supply Chain Security: FedRAMP security assessment plans expect providers to manage risks from third-party software. Requirement SA-9 requires CSPs to form relationships with their software suppliers to ensure a “chain of trust.” Ingesting SBOMs from software suppliers (and having a mechanism for keeping those SBOMs up-to-date when versions change) is a good way for CSPs to maintain visibility into potential vulnerabilities that may surface associated with the software they purchase. SA-9 applies to all FedRAMP baseline levels.
-
Incident Response & Continuous Monitoring: When a security incident or major vulnerability (like Log4Shell) arises, time is of the essence. FedRAMP’s incident response and continuous monitoring requirements (IR-4, CA-7, etc.) demand that providers quickly identify impacted components and remediate vulnerabilities. SBOMs (and SBOM tools like FOSSA) can help organizations quickly determine whether and where they rely on vulnerable software components. Both IR-4 and CA-7 apply to all FedRAMP baseline levels.
Ultimately, even though you won’t yet see an SBOM explicitly asked for on a FedRAMP checklist, SBOMs do provide transparency and assurance that underpin many FedRAMP objectives.
SBOMs and FedRAMP 20x
SBOMs play an important role in the draft FedRAMP 20x Phase One requirements. In the Key Security Indicators (KSI) draft (which outlines baseline capabilities for the new process), CSPs “must obtain a Software Bill of Materials (SBOM) for third-party commercial software components” as part of their supply chain risk management.
In practice, this means if your cloud service relies on any third-party software, you would be expected to have an SBOM from that vendor(s) or source(s).
This SBOM requirement goes hand-in-hand with another proposed criterion: ensuring all third-party software providers have a Secure Software Development Attestation on file with CISA (aligned with the self-attestations required by OMB guidance).
It’s important to note that FedRAMP 20x is still in pilot and development, so there are no immediate changes for CSPs yet (except for those actively participating in the ongoing pilot program). Relatedly, technical details of the proposed requirement (e.g. required SBOM formats and data fields) have yet to be published, though we’d expect the NTIA’s minimum SBOM elements publication to serve as inspiration.
FedRAMP 20x Implementation Timeline
FedRAMP 20x Phase One has begun with a pilot for low-impact SaaS offerings. During this phase, requirements like the SBOM for third-party components will be evaluated in real-world use. Successful pilot participants can receive a FedRAMP 20x Low authorization, and lessons learned will feed into refining the process.
Expansion to Moderate/High & Official Rollout: After the Low pilot, FedRAMP 20x will expand to cover moderate-impact systems (Phase Two) and eventually high-impact, incorporating the feedback from earlier phases. Over time, we’d expect the 20x process (with its automation and SBOM requirements) to become an official alternative path — or replacement — for the traditional FedRAMP process.
Preparing for FedRAMP 20x SBOM Requirements
Although the FedRAMP 20x requirements have not been finalized, the writing is on the wall that SBOMs will be a baseline expectation for federal software security moving forward. (For example, even beyond FedRAMP, a proposed FAR rule and recent OMB guidance point to SBOMs becoming standard.)
In other words, if your organization plans on maintaining FedRAMP approval (or if your organization sells software to a FedRAMP-approved entity), it will be a good idea to start building SBOM program foundations if you have not done so already. We’d encourage you to consider the following initiatives as a starting point:
- Automate SBOM Generation in Your Build Process: Treat SBOM creation as a built-in step of your software development lifecycle. SBOM tools like FOSSA can automate the process to ensure your SBOM stays accurate and up-to-date as you release new software versions.
- Start the SBOM Conversation with Your Suppliers: FedRAMP 20x will require SBOMs for third-party commercial software, so you’ll want to have an SLA for obtaining them in your procurement and vendor management.
- Test SBOM Ingestion Tools: Platforms like FOSSA that can ingest SBOMs and monitor for vulnerabilities in your dependencies can be very helpful in the continuous work of managing supply chain risk.
Using FOSSA to Manage Proposed FedRAMP SBOM Requirements
Although the proposed SBOM requirements in FedRAMP 20x don’t yet impact the majority of FedRAMP organizations, getting an SBOM plan in place sooner than later can certainly help reduce fire drills down the line. Please get in touch with our team to talk to one of our SBOM experts or if you’d like more information on our SBOM management tool.