7 Recommendations to Improve SBOM Quality

<p dir="ltr">A software bill of materials (SBOM) provides transparency into the elements of an integrated software product. Such transparency is critical to identifying system vulnerabilities and thus mitigating potential security risks. There is growing interest in using SBOMs to support software supply chain risk management. In September 2024 Army leaders signed a memorandum requiring SBOMs for vendor-supplied software. More recently, the Department of Defense (DoD) Chief Information Officer, through its Software Fast Track Program, is requiring that software vendors submit their SBOMs, as well as those from third-party assessors, to enable detection of variances between SBOMs for the same software. Different SBOM tools should produce similar records for a piece of software at a given point in its lifecycle, but this is not always the case. The divergence of SBOMs for individual pieces of software can undermine confidence in these important documents for software quality and security. This blog post outlines our team’s recent findings on why SBOMs diverge and recommends seven ways to improve SBOM accuracy.</p>