A Software Bill of Materials (SBOM) is a formal list of components, libraries, and dependencies included in a software product - similar to an ingredients list for software. SBOMs identify open-source and commercial components along with version information, allowing organizations to quickly identify affected systems when a vulnerability is discovered in a component.
The US government has required SBOMs for software sold to federal agencies as part of cybersecurity executive order requirements. NTIA published minimum element definitions for SBOMs covering supplier name, component name, version, unique identifier, dependency relationships, and timestamp.
For organizations in the defense supply chain, SBOM requirements are increasingly appearing in contract language.
For software buyers, collecting SBOMs from vendors enables faster response to vulnerabilities - rather than waiting for vendor advisories, security teams can proactively identify which products in their environment use a vulnerable library. Verify current federal SBOM requirements with CISA, as guidance was evolving as of mid-2025.
Keep Exploring
References