📜 Post with us on Reddit
📝 Create a new article
🏭 Create a company page
🇬🇧 - in English
🇫🇷 - en Français (FR)
🇵🇹 - em Português (PT)
🇩🇪 - auf Deutsch (DE)
🇯🇵 - 日本語で (JA)
Sponsored articles

You can edit almost every page by Creating an account and confirming your email.

Transparency in Software Supply Chain

From EverybodyWiki Bios & Wiki

Transparency in the software supply chain means disclosing information about softwarecomponents, their dependencies, provenance, and development practices to risk management, vulnerability tracking, and compliance across the software lifecycle.[1][2][3]

History

Technical formats for documenting software components, such as SPDX (published in 2011)[4] and CycloneDX (published in 2017)[5], existed before the formalization of supply chain transparency. These formats were originally designed for license compliance and tooling interoperability. The development of these standards later enabled the emergence of the software supply chain transparency concept, encompassing component documentation, disclosure practices, risk management, and regulatory compliance.[6]

  • 2018 — NTIA launches a multistakeholder process on Software Component Transparency.[7]
  • May 12, 2021 — US President Joe Biden’s Executive Order 14028 on Improving the Nation’s Cybersecurity of May 12, 2021 directs federal agencies to enhance supply chain transparency, including SBOM requirements.[8]
  • July 12, 2021 — NTIA publishes The Minimum Elements For a Software Bill of Materials (SBOM).[9]
  • 2021–2025 — CISA updates Framing Software Component Transparency with expanded SBOM metadata and operational guidance.
  • September 3, 2025 — METI and Japan NCO, with 15 countries, issue “A Shared Vision of SBOM for Cybersecurity”.[10]
  • 2025 — EU Cyber Resilience Act requires manufacturers to create, maintain, and retain SBOMs for software marketed in the EU.[11]

Software Bill of Materials (SBOM)

Main article: SBOM

SBOM (Software Bill of Materials) is a formal list of components, libraries, and tools used to develop, build, and publish a software product.[12] In the context of software supply chains, an SBOM records all components, including both open-source and proprietary software, similar to a traditional bill of materials in manufacturing logistics.[13][14] An SBOM allows verification of the currency of open-source and third-party components and enables prompt response to newly discovered vulnerabilities, while buyers and stakeholders can perform vulnerability and license analysis to assess and manage product risks.

Under Executive Order 14028, federal agencies are required to mandate that suppliers provide SBOMs for software procured by the government. The Minimum Elements for a Software Bill of Materials (NTIA) include three content categories: data fields with basic information about each component (name, version, identifiers), automation support (ability to generate SBOMs in machine-readable and human-readable formats, including automated generation using Software Composition Analysis tools), and guidance on how and when organizations should generate SBOMs during development and procurement.[15][16]

Adoption and Transparency in Practice

  • Policy-driven SBOMs in open source: 0.56 % of popular GitHub repositories contain SBOMs created in accordance with formal security or compliance policies.[17]
  • SBOM inclusion in projects: Less than 50 % of examined software projects include SBOMs in releases or version control; many SBOMs are incomplete or non-standard compliant.[18]
  • Enterprise adoption: 60–76 % of surveyed enterprises require SBOMs from suppliers or integrate them into procurement and supply-chain risk management processes.[19]
  • Transparency in security products: TRACS 2025 identifies SBOM availability as a criterion for evaluating cybersecurity solutions; not all enterprise products provide publicly accessible SBOMs.[20]

References

  1. "Cyber Resilience Act". EUR-Lex. 20 November 2024.
  2. "Request for Comment on 2025 Minimum Elements for a Software Bill of Materials" (PDF). DEPARTMENT OF HOMELAND SECURITY.
  3. "Framing Software Component Transparency: Establishing a Common Software Bill of Materials (SBOM)" (PDF). National Telecommunication and Information Administration. 2021-10-21.
  4. "SPDX Workgroup Releases Software Package Data Exchange Standard to Widespread Industry Support - Linux Foundation". www.linuxfoundation.org. Retrieved 2026-01-21.
  5. "CycloneDX joins OWASP as a flagship project | OWASP Foundation". owasp.org. Retrieved 2026-01-21.
  6. "A Large Scale Empirical Analysis on the Adherence Gap between Standards and Tools in SBOM". arxiv.org. Retrieved 2026-01-21.
  7. "Multistakeholder Process on Promoting Software Component Transparency". Federal Register. 2018-06-07. Retrieved 2026-01-21.
  8. "Executive Order 14028 SBOM Requirements". Sbomify. Retrieved 2026-01-21.
  9. Street, Arch (2021-07-12). "Software Bill of Materials Minimum Elements Defined by NTIA". View from Arch Street. Retrieved 2026-01-21.
  10. Poireault, Kevin (2025-09-05). "US and 14 Allies Release Joint Guidance on Software Bill of Materials". Infosecurity Magazine. Retrieved 2026-01-21.
  11. "EU CRA SBOM Requirements: Overview & Compliance Tips". Anchore. Retrieved 2026-01-21.
  12. "For Good Measure Counting Broken Links: A Quant's View of Software Supply Chain Security" (PDF). USENIX ;login. Archived from the original (PDF) on 2022-12-17. Retrieved 2022-07-04. Unknown parameter |url-status= ignored (help)
  13. "[Part 2] Code, Cars, and Congress: A Time for Cyber Supply Chain Management". Archived from the original on 2015-06-14. Retrieved 2015-06-12. Unknown parameter |url-status= ignored (help)
  14. "Software Bill of Materials". ntia.gov. Archived from the original on 2022-11-30. Retrieved 2021-01-25. Unknown parameter |url-status= ignored (help)
  15. "Automating compliance tooling" (PDF). NTIA. 17 June 2021.
  16. "The Minimum Elements For a Software Bill of Materials (SBOM)" (PDF). NTIA.
  17. Novikov, Oleksii; Fucci, Davide; Adamov, Oleksandr; Mendez, Daniel (2025-09-01), Policy-driven Software Bill of Materials on GitHub: An Empirical Study, arXiv, doi:10.48550/arXiv.2509.01255, arXiv:2509.01255, retrieved 2026-01-17
  18. Nocera, Sabato; Romano, Simone; Di Penta, Massimiliano; Francese, Rita; Scanniello, Giuseppe (2025-12-01). "On the adoption of software bill of materials in open-source software projects". Journal of Systems and Software. 230: 112540. doi:10.1016/j.jss.2025.112540. ISSN 0164-1212.
  19. Ian Barker (2023-08-03). "Supply chain worries drive adoption of SBOMs". BetaNews. Retrieved 2026-01-17.
  20. "TRANSPARENCY REVIEW AND ACCOUNTABILITY IN CYBER SECURITY 2025" (PDF). WKO.



This article "Transparency in Software Supply Chain" is from Wikipedia. The list of its authors can be seen in its historical and/or the page Edithistory:Transparency in Software Supply Chain. Articles copied from Draft Namespace on Wikipedia could be seen on the Draft Namespace of Wikipedia and not main one.


Retrieved from "https://en.everybodywiki.com/index.php?title=Transparency_in_Software_Supply_Chain&oldid=5711502"
License CC BY-SA 3.0
Powered by MediaWiki