Software Bill of Materials requirements
Software Bill of Materials requirements are arriving in the energy sector through overlapping federal mandates, with the U.S. Department of Energy and the U.S. Cybersecurity and Infrastructure Security Agency driving disclosure obligations that now reach operational technology vendors supplying grid and pipeline operators. The White House Executive Order 14028 on Improving the Nation's Cybersecurity established SBOM as a baseline expectation for software used in critical infrastructure, and energy firms are now working backward through vendor contracts to confirm which suppliers can actually produce machine-readable SBOMs to spec. The Federal Energy Regulatory Commission has not yet issued a standalone SBOM rule, but its ongoing critical infrastructure protection proceedings are the near-term vehicle to watch.
Watch
- CISA's minimum SBOM data field requirements and whether OT vendors comply
- FERC CIP standards revision docket for any SBOM incorporation language
- DOE's updated Cyber-Informed Engineering guidance referencing SBOM for grid software
- Vendor contract audit clauses: do they obligate SBOM delivery on new software releases?
- EU Cyber Resilience Act SBOM provisions applying to energy software sold into European markets
Recent material activity in Energy, Power & Commodities
Active monitoring in place across Energy, Power & Commodities. Material developments related to software bill of materials requirements will appear here as they are published.