Software Bill of Materials requirements
Software Bill of Materials requirements have become a direct compliance obligation for technology and AI companies, driven by the U.S. Cybersecurity and Infrastructure Security Agency's binding operational directives and the European Union Agency for Cybersecurity's guidance under the EU Cyber Resilience Act, which mandates machine-readable SBOMs for software placed on the EU market. The U.S. Office of Management and Budget's M-23-16 memo pushed federal software vendors to attest to secure development practices, with SBOM delivery as a core component, forcing compliance teams to map third-party component inventories against contractual and regulatory disclosure timelines now rather than at renewal.
Watch
- EU Cyber Resilience Act SBOM format requirements: final delegated acts still pending
- CISA's known exploited vulnerabilities catalog intersecting with SBOM disclosure duties for AI system vendors
- OMB M-23-16 self-attestation deadlines for federal software suppliers in the AI toolchain
- NTIA minimum elements standard: watch for agency-specific expansions beyond the 2021 baseline
Recent material activity in Technology, AI & Competition
-
NIST releases updated AI Risk Management Framework companion guide for critical infrastructure
NIST published AI RMF 1.1 companion guidance specifically addressing AI deployment in critical infrastructure sectors including energy, financial services, and healthcare. The guide introduces mandatory risk assessment c…
Read a full sample brief →