Software Bill of Materials (SBOM)

A Software Bill of Materials is a formal, machine-readable inventory of the components in a software product, increasingly required under US Executive Order 14028 and the EU Cyber Resilience Act.

What is an SBOM?

A Software Bill of Materials is a formal, machine-readable inventory of every component — open-source libraries, proprietary modules, third-party services — that makes up a software product. The two dominant standards are SPDX (ISO/IEC 5962, maintained by the Linux Foundation) and CycloneDX (maintained by OWASP). SBOMs let buyers map their own software supply chain so a future Log4j-style vulnerability disclosure can be triaged in minutes rather than weeks.

Regulatory drivers

SBOM requirements are accelerating. US Executive Order 14028 (May 2021) mandates SBOMs for federal software acquisitions. The FDA requires SBOMs for medical-device software submissions (October 2023 guidance). The EU Cyber Resilience Act (entering force late 2024) requires SBOMs for connected products. AI vendors selling into regulated buyers should expect SBOM requests as standard procurement diligence.

AI-specific SBOM considerations

AI systems blur the SBOM concept because the dependencies include not just code but training data, base models, and fine-tuning datasets. The MITRE AI SBOM and ML-BOM extensions formalize this with additional fields for model architecture, training dataset, evaluation, and known limitations. Ask AI vendors whether they produce a standard SBOM, whether they extend it to model and training-data lineage, and whether sub-processor models (upstream frontier APIs) appear in the bill.