The Comprehensive Guide to SBOM Compliance Requirements
As software supply chain threats continue to increase across the globe, a number of regulatory bodies have adopted SBOM (software bill of materials) requirements to help strengthen security.
From Los Angeles to London and plenty of locations in between, governments and industry groups now require organizations in certain industries to be able to generate and distribute comprehensive SBOMs, often in service of specific vulnerability management objectives.
This guide will break down the biggest SBOM compliance regulations in effect today, including timelines, impacted organizations, and technical requirements. It will also provide a brief overview of SBOM recommendations that could conceivably become requirements in the years ahead.
U.S. Government Cybersecurity Executive Order 14028
The U.S. government’s 2021 Executive Order on Improving America’s Cybersecurity includes a provision requiring organizations to produce an SBOM with each product sold to federal government agencies. The Executive Order was followed by NTIA guidance outlining the minimum elements for an SBOM, which communicated requirements for data fields, automation, and processes.
Individual federal agencies have started to take action to formalize implementation of requirements stemming from the Executive Order. For example, in August of 2024, the U.S. Army announced new regulations impacting software contractors and subcontractors.
Who It Impacts
U.S. federal government agencies may require vendors to produce an SBOM as part of solicitation requirements.
Timeline for Compliance
A September 2022 memo from the U.S. OMB (Office of Budget and Management) formally required agencies to comply with the secure software development guidance that stemmed from the Executive Order.
Requirement Text
Section 4 of the Executive Order reads in part that federal government vendors should provide:
“... a Software Bill of Materials (SBOM) for each product directly or by publishing it on a public website.”
Requirement Analysis
The 2021 Executive Order and subsequent guidance laid the foundation for many of the SBOM-related regulations that have been enacted in recent years. Organizations that do business with the federal government should be prepared to generate SBOMs that meet or exceed the following standards:
Data fields Supplier Name, Component Name, Version of the Component, Other Unique Identifiers, Dependency Relationship, Author of SBOM Data, Timestamp
Automation support SBOMs generated in either CycloneDX or SPDX (or, theoretically, SWID Tag)
Practices and processes SBOMs should include all top-level and transitive dependencies and should be updated after new releases, among other requirements
The U.S. FDA (Food and Drug Administration) now requires manufacturers of certain medical devices to submit an SBOM during the premarket review process. The requirement applies to “cyber devices,” which are defined as those that can connect to the internet, have characteristics that could be vulnerable to cyber threats, and include software.
In addition to requiring an SBOM with commonly used data fields, the FDA mandates device manufacturers to provide information about end-of-life date and support level for each software component, along with an assessment (and remediation plan) of known vulnerabilities.
Who It Impacts
Manufacturers of medical “cyber devices” who wish to sell their products in the United States. 510(k), premarket approval application (PMA), Product Development Protocol (PDP), De Novo, and Humanitarian Device Exemption (HDE) submissions (among others) must be delivered with an SBOM.
Timeline for Compliance
The requirement applies to applications submitted to the FDA on or after March 29, 2023.
“Provide to the Secretary a software bill of materials, including commercial, open-source, and off-the-shelf software components…”
Requirement Analysis
There are three primary elements to the FDA’s SBOM regulation; device manufacturers must fulfill all three to ensure compliance:
Generating the SBOM itself The key consideration is to ensure the document meets or exceeds the NTIA’s minimum requirements discussed earlier in this article.
Providing end-of-life and level-of-support information for all software components included in the SBOM This requirement applies to all types of components, including open source.
Including an assessment of known vulnerabilities along with mitigations that address the vulnerability There are multiple ways to communicate vulnerability information. One approach is by using VEX (Vulnerability Exploitability eXchange), which has standardized fields for communicating exploitability and mitigation status.
PCI DSS (Payment Card Industry Data Security Standard)
PCI DSS — the Payment Card Industry Data Security Standard — is a set of security rules that apply to organizations that accept, process, store, transmit, or otherwise interact with credit card information. Financial services is one of the main industries facing PCI compliance pressures, but retailers, IT providers, and many other types of entities must be PCI-compliant as well.
PCI DSS introduced an SBOM requirement in v4.0, which was released in March 2022. The SBOM requirement is also present in PCI DSS v4.1, which is a very minor revision to 4.0.
Who It Impacts
Any systems that interact with credit card information. Also, systems that aren’t in the cardholder data environment (CDE) but can adversely affect it.
Timeline for Compliance
PCI DSS’ SBOM requirement takes effect on March 31, 2025.
Requirement Text
PCI DSS Section 6.3.2 reads in part:
“An inventory of bespoke and custom software, and third-party software components incorporated into bespoke and custom software is maintained to facilitate vulnerability and patch management.”
Requirement Analysis
There are two primary parts of the SBOM requirement in PCI DSS.
The software inventory
Using that software inventory to enable vulnerability management
The most realistic and scalable approach to fulfilling these requirements is by creating machine-readable SBOMs (in either SPDX or CycloneDX) and using some sort of tooling that enables you to analyze those SBOMs and produce up-to-date reports on vulnerabilities and remediation progress.
Organizations selling digital products in the European Union. SaaS with no local components (apps, systems) are exempt, as are industries and products that are already strictly regulated (automotive, aviation, military, and medical systems).
Timeline for Compliance
SBOM requirements will take effect three years afterthe CRA is entered into force. Since the CRA is expected to be entered into force sometime in the second half of 2024, SBOM requirements will likely be enforced in 2027.
“An inventory of bespoke and custom software, and third-party software components incorporated into bespoke and custom software is maintained to facilitate vulnerability and patch management.”
Requirement Analysis
Unlike the other requirements we’ve covered so far, specifics of the CRA’s SBOM mandate — such as required formats and data fields — are still lacking. That will change in the years ahead, but, for now, manufacturers of digital devices sold in the EU would be wise to start considering plans for implementing tools and developing processes to generate SBOMs.
We should also note that the CRA makes clear that manufacturers will nothave to publicly distribute their SBOMs; sharing SBOMs privately with market surveillance authorities will be sufficient for compliance.
A number of government bodies and regulators have published SBOM guidance. Below is a sampling of these guidelines and recommendations.
International Medical Device Regulators Forum (IMDRF)
IMDRF — the International Medical Device Regulators Forum — is a global organization that aims to promote effective regulation of medical devices. In 2023, the IMDRF published “Principles and Practices for Software Bill of Materials for Medical Device Cybersecurity,” a technical document with SBOM-related guidance for both device manufacturers and healthcare delivery organizations.
Australian Cyber Security Centre
The Australian Cyber Security Centre’s “Guidelines for Software Development” recommends that “a software bill of materials is produced and made available to consumers of software.”
U.S. National Highway Traffic Safety Administration
The U.S. National Highway Traffic Safety Administration’s updated “Cybersecurity Best Practices for the Safety of Modern Vehicles” publication recommends auto manufacturers and suppliers to maintain an SBOM. Section 4.2.6 “Inventory and Management of Hardware and Software Assets on Vehicles” reads in part: “Suppliers and vehicle manufacturers should maintain a database of their operational hardware and software components used in each automotive ECU, each assembled vehicle, and a history log of version updates applied over the vehicle’s lifetime.”
Canadian Forum for Digital Infrastructure Resilience
The Canadian Forum for Digital Infrastructure Resilience (a public-private partnership created to strengthen Canada’s critical digital infrastructure) published “Recommendations to Improve the Resilience of Canada’s Digital Supply Chain” in June of 2022. The report recommends organizations use SBOMs to better understand and reduce software supply chain risks. Additionally, the Canadian Centre for Cyber Security’s 2023 “Protecting Your Organization from Software Supply Chain Threats” publication highlights requesting SBOMs as a good practice to vet potential software suppliers.
U.S. National Institute of Standards and Technology
NIST SP 800-161r1 — Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations — is a set of recommendations from the U.S. National Institute of Standards and Technology. SBOMs are highlighted throughout the document.
German BSI (Federal Office for Information Security)
The German BSI (Federal Office for Information Security) published Technical Guideline TR-03183. Like we mentioned earlier, the EU’s proposed CRA doesn’t include specific requirements in areas like SBOM format, data fields, update frequency, and more. The TR-03183 attempts to fill that void with concrete guidance. The document aims to “provide manufacturers with advance access to the type of requirements that will be imposed on them by the future Cyber Resilience Act.”
Generate SBOMs in either SPDX or CycloneDX with all NTIA-required data fields
Enrich SBOMs with support information showing whether projects are actively maintained (to enable FDA compliance)
Communicate vulnerability information, along with automated VEX annotations, to capture the current status of vulnerabilities (to enable FDA and PCI DSS compliance)
Securely share SBOMs with regulatory bodies and/or customers with our private distribution portal
For more information on our SBOM management solution