DoD Mandates SBOMs for Software Vendors to Enhance Security Transparency

In September 2024, Army leaders signed a memorandum requiring SBOMs for vendor-supplied software. The DoD's Chief Information Officer mandates vendors submit SBOMs via the Software Fast Track Program. The SEI's 2024 SBOM Harmonization Plugfest, supported by CISA, aims to address SBOM divergence caused by inconsistent definitions and implementation practices.

Analysis revealed significant variance in component numbers and content across SBOM submissions. Participants used different methods to generate build and source SBOMs, impacting the discovery of components.

Recommendations include improving normalization, documenting SBOM generation methods, and developing SBOM profiles for clearer communication. Ensuring SBOM quality is critical for software security, especially for DoD and critical infrastructure systems.