Software bill of materials: Greater transparency to mitigate cyber threats

• Author:
• Author name

  Quantumrun Foresight
• June 10, 2022

Insight summary

The push for Software Bills of Materials (SBOMs) aims to fortify national cybersecurity by requiring detailed lists of components in software projects. This initiative not only enhances collaboration between software and hardware teams but also opens new opportunities in training, compliance, and consulting. However, it also raises challenges, such as potential market exclusion for non-compliant software vendors and the need for ongoing legislative adaptability.

Software bill of materials context

US President Joe Biden took action in May 2021 to address the growing concerns about cybersecurity in the country, issuing an executive order that mandates software sellers to supply federal procurement agents with a software bill of materials (SBOM). This move aims to bolster the country's cybersecurity measures and safeguard the networks of the federal government. The order came in response to a series of high-profile cyberattacks that drew national attention, highlighting the urgent need for improved security protocols.

The rise in our reliance on digital technology has made both public and private organizations more vulnerable to cyberattacks. To tackle this issue, the executive order emphasizes the importance of SBOMs, which are essentially detailed lists of components used in software projects. These lists include information like the versions of each component, their current patch status, any licenses they may have, and whether they incorporate open-source libraries.

By providing this level of detail, SBOMs aim to make it easier for organizations to identify potential vulnerabilities and take preventive measures. For example, the May 2021 attack on the Colonial Pipeline in Houston, Texas, disrupted fuel supplies and took nearly a week to resolve. SBOMs aim to reduce the time needed to address such incidents by providing a clear inventory of software components, allowing for more efficient identification and remediation of vulnerabilities. This is particularly crucial for systems that control physical infrastructure, where a cyberattack could have immediate and far-reaching consequences.

Disruptive impact

The push for SBOMs aims to create an industry standard that could be adopted by a wide range of stakeholders, from software developers to hardware manufacturers. This initiative encourages these teams to work more closely together when designing and building products. By offering a centralized view of the entire digital ecosystem, SBOMs provide visibility into all aspects of a project, regardless of the digital tools used. 

The adoption of SBOMs has the potential to significantly improve communication and coordination between hardware and software teams. By providing real-time data and transparency, SBOMs can serve as an effective tool for identifying and addressing security vulnerabilities before they can be exploited by cybercriminals or other hostile actors. This real-time nature of SBOMs could be a game-changer in cybersecurity, allowing for quicker responses and more proactive measures. For software users and vendors, this means greater confidence in the security of the products they use or sell.

The federal mandate for SBOMs is also likely to open up new avenues in training, compliance, and cybersecurity consulting. This creates an opportunity for software platform vendors to develop new product lines tailored specifically for federal government requirements. These specialized products could then become the new standard for other sectors, leading to a ripple effect of improved cybersecurity measures across industries. 

Implications of SBOMs

Wider implications of SBOMs may include: 

• Enhanced regulatory governance over software licenses leading to more transparent and legally compliant use and distribution of software.


• Other national governments adopting SBOM legislation to both strengthen their domestic cybersecurity and improve economic integration with the U.S.


• Software vendors unable to produce an SBOM being excluded from markets due to non-compliance, raising the bar for market entry.


• Commercial enterprises setting their own SBOM requirements for vendors, aligning with government directives to improve the durability, reliability, and security of their digital systems.


• A shift in business models for cybersecurity consulting firms, focusing more on SBOM compliance and auditing, creating new revenue streams.


• Increased job opportunities in the fields of cybersecurity and software auditing, as the demand for experts who can navigate SBOM requirements grows.


• A potential rise in software costs for end-users, as companies may pass on the expenses associated with SBOM compliance to consumers.


• Policymakers facing challenges in keeping SBOM legislation updated, as they need to adapt to rapidly evolving cybersecurity threats and technologies.

Questions to consider

• Given that the Biden administration’s executive order concerning SBOMs was in response to a cyberattack on federal assets, do you think SBOMs might reduce the frequency and extent of cyberattacks going forward?


• With SBOMs providing intricate information and details regarding the composition and design of a software product, do SBOMs themselves represent a security threat if hostile actors can access them? How can this scenario be prevented?