Introducing FOSSA's new business tier — easy-to-use open source and SBOM management with added pricing flexibility. Learn More

The Comprehensive Guide to SBOM Compliance Requirements

As software supply chain threats continue to increase across the globe, a number of regulatory bodies have adopted SBOM (software bill of materials) requirements to help strengthen security.

From Los Angeles to London and plenty of locations in between, governments and industry groups now require organizations in certain industries to be able to generate and distribute comprehensive SBOMs, often in service of specific vulnerability management objectives.

This guide will break down the biggest SBOM compliance regulations in effect today, including timelines, impacted organizations, and technical requirements. It will also provide a brief overview of SBOM recommendations that could conceivably become requirements in the years ahead.

Jumpstart Your SBOM Program

U.S. Government Cybersecurity Executive Order 14028

The U.S. government’s 2021 Executive Order on Improving America’s Cybersecurity includes a provision requiring organizations to produce an SBOM with each product sold to federal government agencies. The Executive Order was followed by NTIA guidance outlining the minimum elements for an SBOM, which communicated requirements for data fields, automation, and processes.

Individual federal agencies have started to take action to formalize implementation of requirements stemming from the Executive Order. For example, in August of 2024, the U.S. Army announced new regulations impacting software contractors and subcontractors.

Who It Impacts

U.S. federal government agencies may require vendors to produce an SBOM as part of solicitation requirements.

Timeline for Compliance

A September 2022 memo from the U.S. OMB (Office of Budget and Management) formally required agencies to comply with the secure software development guidance that stemmed from the Executive Order.

Requirement Text

Section 4 of the Executive Order reads in part that federal government vendors should provide:

“... a Software Bill of Materials (SBOM) for each product directly or by publishing it on a public website.”

Requirement Analysis

The 2021 Executive Order and subsequent guidance laid the foundation for many of the SBOM-related regulations that have been enacted in recent years. Organizations that do business with the federal government should be prepared to generate SBOMs that meet or exceed the following standards:

Data fields
Supplier Name, Component Name, Version of the Component, Other Unique Identifiers, Dependency Relationship, Author of SBOM Data, Timestamp

Automation support
SBOMs generated in either CycloneDX or SPDX (or, theoretically, SWID Tag)

Practices and processes
SBOMs should include all top-level and transitive dependencies and should be updated after new releases, among other requirements

FDA (Food and Drug Administration)

The U.S. FDA (Food and Drug Administration) now requires manufacturers of certain medical devices to submit an SBOM during the premarket review process. The requirement applies to “cyber devices,” which are defined as those that can connect to the internet, have characteristics that could be vulnerable to cyber threats, and include software.  

In addition to requiring an SBOM with commonly used data fields, the FDA mandates device manufacturers to provide information about end-of-life date and support level for each software component, along with an assessment (and remediation plan) of known vulnerabilities.

Who It Impacts

Manufacturers of medical “cyber devices” who wish to sell their products in the United States. 510(k), premarket approval application (PMA), Product Development Protocol (PDP), De Novo, and Humanitarian Device Exemption (HDE) submissions (among others) must be delivered with an SBOM.

Timeline for Compliance

The requirement applies to applications submitted to the FDA on or after March 29, 2023.

Requirement Text

Section 524B, “Ensuring Cybersecurity of Devices,” of the U.S. government’s amendment to the Federal Food, Drug, and Cosmetic Act (FD&C Act) reads in part:

“Provide to the Secretary a software bill of materials, including commercial, open-source, and off-the-shelf software components…”

Requirement Analysis

There are three primary elements to the FDA’s SBOM regulation; device manufacturers must fulfill all three to ensure compliance:

Generating the SBOM itself
The key consideration is to ensure the document meets or exceeds the NTIA’s minimum requirements discussed earlier in this article.

Providing end-of-life and level-of-support information for all software components included in the SBOM
This requirement applies to all types of components, including open source.

Including an assessment of known vulnerabilities along with mitigations that address the vulnerability
There are multiple ways to communicate vulnerability information. One approach is by using VEX (Vulnerability Exploitability eXchange), which has standardized fields for communicating exploitability and mitigation status.

PCI DSS (Payment Card Industry Data Security Standard)

PCI DSS — the Payment Card Industry Data Security Standard — is a set of security rules that apply to organizations that accept, process, store, transmit, or otherwise interact with credit card information. Financial services is one of the main industries facing PCI compliance pressures, but retailers, IT providers, and many other types of entities must be PCI-compliant as well.

PCI DSS introduced an SBOM requirement in v4.0, which was released in March 2022. The SBOM requirement is also present in PCI DSS v4.1, which is a very minor revision to 4.0.

Who It Impacts

Any systems that interact with credit card information. Also, systems that aren’t in the cardholder data environment (CDE) but can adversely affect it.

Timeline for Compliance

PCI DSS’ SBOM requirement takes effect on March 31, 2025.

Requirement Text

PCI DSS Section 6.3.2 reads in part:

“An inventory of bespoke and custom software, and third-party software components incorporated into bespoke and custom software is maintained to facilitate vulnerability and patch management.”

Requirement Analysis

There are two primary parts of the SBOM requirement in PCI DSS.

The software inventory

Using that software inventory to enable vulnerability management

The most realistic and scalable approach to fulfilling these requirements is by creating machine-readable SBOMs (in either SPDX or CycloneDX) and using some sort of tooling that enables you to analyze those SBOMs and produce up-to-date reports on vulnerabilities and remediation progress.

CRA (Cyber Resilience Act)

Who It Impacts

Organizations selling digital products in the European Union. SaaS with no local components (apps, systems) are exempt, as are industries and products that are already strictly regulated (automotive, aviation, military, and medical systems).

Timeline for Compliance

SBOM requirements will take effect three years after the CRA is entered into force. Since the CRA is expected to be entered into force sometime in the second half of 2024, SBOM requirements will likely be enforced in 2027.

Requirement Text

Provision 22 of the CRA reads in part:

“An inventory of bespoke and custom software, and third-party software components incorporated into bespoke and custom software is maintained to facilitate vulnerability and patch management.”

Requirement Analysis

Unlike the other requirements we’ve covered so far, specifics of the CRA’s SBOM mandate — such as required formats and data fields — are still lacking. That will change in the years ahead, but, for now, manufacturers of digital devices sold in the EU would be wise to start considering plans for implementing tools and developing processes to generate SBOMs.

We should also note that the CRA makes clear that manufacturers will not have to publicly distribute their SBOMs; sharing SBOMs privately with market surveillance authorities will be sufficient for compliance.

Other SBOM Guidelines and Guidance

A number of government bodies and regulators have published SBOM guidance. Below is a sampling of these guidelines and recommendations.

International Medical Device Regulators Forum (IMDRF)

IMDRF — the International Medical Device Regulators Forum — is a global organization that aims to promote effective regulation of medical devices. In 2023, the IMDRF published “Principles and Practices for Software Bill of Materials for Medical Device Cybersecurity,” a technical document with SBOM-related guidance for both device manufacturers and healthcare delivery organizations.

Australian Cyber Security Centre

The Australian Cyber Security Centre’s “Guidelines for Software Development” recommends that “a software bill of materials is produced and made available to consumers of software.”

U.S. National Highway Traffic Safety Administration

The U.S. National Highway Traffic Safety Administration’s updated “Cybersecurity Best Practices for the Safety of Modern Vehicles” publication recommends auto manufacturers and suppliers to maintain an SBOM. Section 4.2.6 “Inventory and Management of Hardware and Software Assets on Vehicles” reads in part: “Suppliers and vehicle manufacturers should maintain a database of their operational hardware and software components used in each automotive ECU, each assembled vehicle, and a history log of version updates applied over the vehicle’s lifetime.”

Canadian Forum for Digital Infrastructure Resilience

The Canadian Forum for Digital Infrastructure Resilience (a public-private partnership created to strengthen Canada’s critical digital infrastructure) published “Recommendations to Improve the Resilience of Canada’s Digital Supply Chain” in June of 2022. The report recommends organizations use SBOMs to better understand and reduce software supply chain risks. Additionally, the Canadian Centre for Cyber Security’s 2023 “Protecting Your Organization from Software Supply Chain Threats” publication highlights requesting SBOMs as a good practice to vet potential software suppliers.

U.S. National Institute of Standards and Technology

NIST SP 800-161r1 — Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations — is a set of recommendations from the U.S. National Institute of Standards and Technology. SBOMs are highlighted throughout the document.

German BSI (Federal Office for Information Security)

The German BSI (Federal Office for Information Security) published Technical Guideline TR-03183. Like we mentioned earlier, the EU’s proposed CRA doesn’t include specific requirements in areas like SBOM format, data fields, update frequency, and more. The TR-03183 attempts to fill that void with concrete guidance. The document aims to “provide manufacturers with advance access to the type of requirements that will be imposed on them by the future Cyber Resilience Act.”

How FOSSA Helps with SBOM Compliance

FOSSA’s SBOM management add-on helps organizations automate compliance with regulatory requirements. Here’s a brief overview of the ways our platform supports SBOM compliance activities:

Generate SBOMs in either SPDX or CycloneDX with all NTIA-required data fields

Enrich SBOMs with support information showing whether projects are actively maintained (to enable FDA compliance)

Communicate vulnerability information, along with automated VEX annotations, to capture the current status of vulnerabilities (to enable FDA and PCI DSS compliance)

Securely share SBOMs with regulatory bodies and/or customers with our private distribution portal

For more information on our SBOM management solution