Federal GRC Engineering
SBOM
Software Bill of Materials, a formal, machine-readable inventory of the software components, libraries, and dependencies that compose a software product, including supplier, version, and dependency relationships. Section 4 of Executive Order 14028 (May 12, 2021) required NTIA to publish minimum SBOM elements, which it did in July 2021, and required federal software acquisitions to include SBOMs. The standard formats are CycloneDX and SPDX. SBOMs are the input that lets a buyer determine in minutes whether a newly disclosed vulnerability (a Log4j, an XZ Utils backdoor) affects software the buyer is running.