Requires federal agencies to request SBOMs from software vendors and includes the NTIA outline for the minimum elements for an SBOM.
Requires that manufacturers of cyber devices must provide an SBOM Â for the commercial, open-source and off-the-shelf software components contained with the devices.
This effort introduced a new framework that expands on the original guidance from the NTIA and includes direction on what to include in an SBOM and processes for SBOM creation and sharing.
This directive mandates the inclusion of SBOMs in new software contracts, including commercial off-the-shelf products.
The Cyber Resilience Act (CRA) mandates SBOM generation for products with software components sold in the EU. SBOMs must be in a machine-readable format and include the top-level dependencies of the product. SBOMs must be included in a product’s technical documentation and provided to market surveillance authorities upon request.
While there are no official standards yet, the National Cyber Security Centre (NCSC) recognizes that SBOMs are being increasingly used in many settings and promotes SBOM adoption as a best practice.
The German Federal Office for Information Security (BSI) has adopted Technical Guideline TR-03183, which provides detailed requirements for Software Bills of Materials (SBOMs) to prepare manufacturers for the upcoming enforcement of the EU's Cyber Resilience Act (CRA). This guideline specifies minimum SBOM information and preferred formats, and aligns with the standards set by the NTIA.
The Australian Cyber Security Centre (ACSC) advocates for SBOMs, and its ISM-1730 initiative requires the use of SBOMs for all software used by Australian government agencies.Â
The Ministry of Economy, Trade and Industry (METI) has actively promoted SBOM usage and Japan has initiated pilot projects on SBOMs in collaboration with private industry.Â
India is strengthening cybersecurity partnerships, and exploring ways to increase software transparency and may consider SBOM requirements in its evolving cybersecurity policies. SBOMs are gaining importance as a key component of cybersecurity and compliance efforts, particularly within regulated sectors like finance and critical infrastructure.
