Why SBOMs are becoming mandatory in 2025: Compliance, procurement, and security

Why Are SBOMs Central to Cybersecurity Policy in 2025?

In 2025, Software Bills of Materials (SBOMs) have transitioned from optional best practice to formal requirement. Governments, critical infrastructure operators, and enterprise procurement teams are now mandating SBOM disclosures as part of software lifecycle governance. The shift reflects growing concern over software supply chain security, triggered by high-profile breaches in recent years, including the SolarWinds intrusion and the exploitability of deeply embedded open-source components like Log4j.

SBOMs function like an ingredient list for software, detailing every component, version, and dependency that comprises a digital product. This visibility gives organizations the ability to track vulnerabilities down to the package level, respond faster to emerging threats, and comply with regulatory expectations. As software complexity grows, SBOMs have become indispensable for assessing vendor risk and enforcing post-incident remediation timelines.

What Is Driving the Regulatory Push Toward SBOM Adoption?

The legal and policy momentum behind SBOM adoption gained force with the 2021 U.S. Executive Order 14028, which required federal agencies and suppliers to submit SBOMs for all software used within government systems. That directive, formalized further by the Office of Management and Budget in 2022, set a three-year timeline for widespread SBOM integration—bringing us to full-scale enforcement in 2025.

Meanwhile, in Europe, the Cyber Resilience Act (CRA), adopted in late 2024, now requires all “digital products with critical functions” sold in the EU to include verifiable SBOMs, especially when built using third-party or open-source code. Companies that fail to comply may face heavy penalties, recalls, or outright bans from public sector procurement.

The National Institute of Standards and Technology (NIST) has issued revised guidance (SP 800-161 Rev. 2) in early 2025 to clarify SBOM formats, minimum required fields, and compatibility standards. These frameworks are shaping not just how SBOMs are published, but also how vendors must respond when a component is later found vulnerable to exploitation.

How Do SBOMs Improve Software Supply Chain Security?

Modern software is rarely written from scratch. Whether building mobile apps, web platforms, industrial control systems, or SaaS environments, developers routinely rely on libraries and frameworks pulled from ecosystems like npm, PyPI, Maven, and GitHub. These components may themselves contain multiple nested dependencies—some maintained by large foundations, others by a single unpaid maintainer.

This creates a sprawling, opaque attack surface where a vulnerability in an obscure component can propagate into core systems. SBOMs give defenders a structured view of that complexity. When a new CVE is disclosed, SBOM-aware systems can automatically identify if the affected component exists anywhere within the organization’s deployed assets. This enables rapid mitigation, prioritization, and vendor escalation.

In December 2024, a critical CVE in an open-source JSON parser (CVE-2024-7875) affected over 600 widely used applications. Enterprises with SBOM visibility were able to isolate and update affected deployments within hours. In contrast, firms without SBOM tracking spent days assessing exposure manually—if at all—causing widespread risk management failures across healthcare, fintech, and manufacturing sectors.

Why Are Enterprises Now Demanding SBOMs from Vendors?

SBOMs are no longer seen as just a regulatory checkbox—they are now a prerequisite for doing business in regulated sectors. Enterprises purchasing software, especially in finance, defense, and healthcare, have begun adding SBOM compliance to their security due diligence and vendor onboarding workflows.

Procurement teams now routinely require suppliers to submit SPDX or CycloneDX-formatted SBOMs, attest to the security posture of their third-party components, and confirm the absence of high-risk CVEs at the time of delivery. In some contracts, vendors must commit to patching known vulnerabilities in listed components within a defined SLA or risk breach penalties.

Security teams are also using SBOMs to build internal asset inventories and track licensing exposure, especially around copyleft licenses or components with ambiguous redistribution clauses. This compliance function has become increasingly critical in merger and acquisition due diligence, as acquirers evaluate the technical debt and risk profile of target firms.

How Are Tools and Standards Supporting SBOM Integration?

As SBOMs become mainstream, an ecosystem of tooling has emerged to support automated generation, validation, and policy enforcement. Popular DevSecOps platforms now include native SBOM output modules, enabling development teams to generate SBOMs during CI/CD build stages. Tools like Syft, Trivy, and Microsoft’s OpenVEX are being adopted to streamline SBOM workflows and generate machine-readable output at scale.

To support policy enforcement, many organizations have adopted Open Policy Agent (OPA)-based rules that validate SBOMs against predefined criteria before software is released into production. This aligns with the broader shift toward “shift-left” security, where issues are caught earlier in the development cycle.

Meanwhile, the OpenSSF Scorecard and SLSA (Supply-chain Levels for Software Artifacts) frameworks have introduced integrity signals tied to SBOM compliance, giving security leaders a way to prioritize more trustworthy packages in their build pipelines.

How Are Cyber Insurers and Investors Responding to SBOM Gaps?

The SBOM requirement has also become a factor in cyber insurance underwriting. Major insurers now require policyholders to demonstrate software transparency, maintain up-to-date SBOM inventories, and integrate known-vulnerabilities scans as part of their operational risk controls.

Breach disclosures involving “unknown components” or incomplete inventories now trigger coverage exceptions in many contracts. Firms unable to trace their software dependencies face higher premiums or limited post-incident support, particularly in sectors with high exposure to ransomware, zero-day chains, or regulatory fines.

Institutional investors and ESG rating agencies are also scrutinizing SBOM practices. During Q1 2025 earnings calls, software firms like ServiceNow and Fortinet highlighted SBOM maturity as part of their compliance narratives, while others disclosed SBOM coverage rates and remediation SLAs as part of their 10-K risk factor disclosures. As cybersecurity becomes a board-level issue, SBOM visibility is increasingly seen as a marker of operational maturity.

What’s Next for SBOMs in Global Cybersecurity Strategy?

Analysts expect SBOMs to evolve from static artifacts into dynamic, real-time documents. With the rise of microservices, containers, and ephemeral workloads, future SBOMs may be generated at runtime, updated via telemetry, and integrated with threat intelligence feeds to enable automated response to component-level attacks.

Government mandates are expected to extend into the private sector. By mid-2026, compliance with SBOM requirements will likely be necessary not only for public sector software procurement but also for cloud service providers, API brokers, and enterprise IT platforms that serve regulated verticals. The European Commission and U.S. CISA are jointly exploring harmonized minimum SBOM fields and shared vulnerability databases to improve cross-border incident coordination.

As threats evolve and software continues to scale, SBOMs represent one of the few mechanisms capable of bringing clarity and accountability to digital infrastructure. From breach containment to risk modeling, they are becoming the connective tissue of modern software governance.

In 2025, the question is no longer whether to adopt SBOMs—but how fast and how well. Organizations that embrace SBOM-driven visibility are gaining not just compliance credibility, but strategic security advantage. In the age of software-defined infrastructure, knowing what’s inside your codebase is no longer optional. It’s operationally essential.