Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Career Intelligence
    • Cyber Tactics
    • Cybersecurity Education & Training
    • Leadership & Management
    • Security Talk
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Interactive Spotlight
    • Photo Galleries
    • Podcasts
    • Polls
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityCyber Tactics ColumnSecurity Enterprise ServicesSecurity Leadership and ManagementLogical Security

Cyber Tactics

Better software supply chain security through SBOMs

Creating a cybersecurity supply chain governance framework is a critical step in securing your organization’s digital supply chain.

By Pam Nigro, Contributing Writer
Data cloud security

Just_Super / iStock / Getty Images Plus via Getty Images

February 12, 2024

An executive order from President Biden in 2021 focused on enhancing software supply chain security. This added transparency can help to identify and mitigate security risks, such as vulnerabilities in open source components or malicious code that has been inserted into the supply chain. These Software Bills of Materials (SBOMs) play an important role in enhancing software supply chain security by providing transparency into the components used to build software. This requirement is designed to help the government to better understand and manage the security risks associated with the software it uses.

The development of commercial software often lacks transparency, security focus, and safeguards against tampering. To ensure software functions securely and as intended, especially critical software, there is a need for more robust and predictable mechanisms. With this in mind, let’s explore the concept of a Supplier/Vendor Software Bill of Materials (SBOM).

In today's interconnected digital landscape, the integrity and security of software components used in products and services are of paramount importance. As organizations rely on an intricate network of suppliers and vendors to source these components, ensuring transparency and understanding the composition of these software elements becomes crucial. This is where the concept of an SBOM comes into play.

What is a SBOM? It is a comprehensive document that provides a detailed inventory of all software components and dependencies used in a particular product or system, including those contributed by suppliers and vendors. It serves as a critical element of supply chain risk management and cybersecurity governance. The SBOM lists each binary component, its version, origin and potential vulnerabilities, enabling organizations to assess the security and compliance of their software supply chain thoroughly.

SBOM serves as a critical tool for transparency, security and risk management. It empowers organizations to make informed decisions about their software components, enabling them to build more secure, compliant and resilient products and services.

Creating a cybersecurity supply chain governance framework is a critical step in securing your organization's digital supply chain. Here's a step-by-step guide to get started:

Governance structure: Establish a dedicated cross-functional team responsible for SBOM governance. This team should include representatives from cybersecurity, software development, procurement, legal and compliance.

Policy and standards: Develop clear policies and standards that mandate the creation, maintenance and sharing of SBOMs for all software products used within the organization. These policies should outline the frequency of updates, data format and sharing mechanisms.

SBOM creation: Define a standardized process for creating SBOMs for each software product. This process should involve automated tools and manual reviews to ensure accuracy and completeness.

Inventory management: Maintain an up-to-date inventory of software components, libraries, frameworks and dependencies used in each software product. Track versions, origins and licenses for all components.


❝

In an era of increasing cyber threats and regulatory scrutiny, the SBOM is a valuable tool that enhances transparency, security, and risk mitigation within the supply chain, ultimately safeguarding the integrity of software, firmware or products.”


Integration with development lifecycle: Integrate SBOM creation and maintenance into the software development lifecycle. Developers should generate SBOMs automatically during the build process, ensuring that each software release is accompanied by an accurate SBOM.

Supplier engagement: Collaborate with software suppliers and vendors to obtain SBOMs for third-party components. Mandate the provision of accurate and timely SBOMs as part of procurement agreements.

Continuous monitoring: Implement continuous monitoring of software components and their vulnerabilities. Regularly update SBOMs to include information about newly discovered vulnerabilities and available patches.

Vulnerability assessment: Integrate vulnerability assessment tools to analyze SBOMs and identify known vulnerabilities and security issues in software components. Prioritize addressing high-risk vulnerabilities.

Remediation and patching: Develop a process for addressing vulnerabilities identified in SBOMs. Define responsibilities for patch management and ensure timely remediation of identified vulnerabilities.

Sharing and transparency: Promote transparency by sharing SBOMs with relevant stakeholders, including internal teams, customers and partners. This fosters accountability and enables better risk assessment.

Compliance and reporting: Ensure compliance with relevant industry standards and regulations that require SBOMs. Generate reports that demonstrate the organization's commitment to software transparency and security.

Incident Response: Incorporate SBOMs into the incident response process. In the case of a security breach or vulnerability exploit, having an accurate SBOM will help identify affected systems quickly.

Training and awareness: Educate software developers, procurement teams and relevant stakeholders about the importance of SBOMs, their role in cybersecurity and the procedures for generating and managing them.

Automation and tools: Invest in automation tools and software solutions that facilitate the creation, maintenance and analysis of SBOMs. These tools can streamline the process and enhance accuracy.

Continuous improvement: Regularly review and update the SBOM governance model to incorporate lessons learned from incidents, changes in software development practices, and evolving cybersecurity threats.

By maintaining an SBOM, organizations can swiftly identify and remediate vulnerabilities, respond to security incidents and ensure that software components are up-to-date and compliant with regulatory requirements. In an era of increasing cyber threats and regulatory scrutiny, the SBOM is a valuable tool that enhances transparency, security, and risk mitigation within the supply chain, ultimately safeguarding the integrity of software, firmware or products.

Remember that cybersecurity supply chain governance is an ongoing process. It requires adaptability and a commitment to continuous improvement to stay ahead of evolving cyber threats and vulnerabilities in today's interconnected business environment.

KEYWORDS: software security supply chain supply chain cyber security supply chain security

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Nigro headshot

Pam Nigro is the Vice President of Security and Security Officer at Medecision. She also is an ISACA Board Director and was the 2022-23 ISACA Board Chair. Image courtesy of Nigro

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Cyber tech background

    Security’s Top Cybersecurity Leaders 2026

    Security magazine’s Top Cybersecurity Leaders 2026 award...
    Security Leadership and Management
  • Iintegration and use of emerging tools

    Future Proof Your Security Career with AI Skills

    AI’s evolution demands security leaders master...
    Security Education & Training
    By: Jerry J. Brennan and Joanne R. Pollock
  • The 2025 Security Benchmark Report

    The 2025 Security Benchmark Report

    The 2025 Security Benchmark Report surveys enterprise...
    The Security Benchmark Report
    By: Rachelle Blair-Frasier
Manage My Account
  • Security Newsletter
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Popular Stories

Hand reaching up out of the ocean

What I Learned About Burnout the Hard Way (and How to Actually Fix it)

Broken wet floor sign

Why Response Time Is Becoming the Missing Metric in Workplace Safety and Security

Paparazzi

When Private Events Become Public Infrastructure: What Celebrity OSINT Teaches Security Leaders

Cyber Tactics

AIBOMs: Bringing AI Security Out of the Shadows, A Practical Guide for Security Professionals

Medical professional

Nearly 85% of Nurses Experienced Workplace Violence in the Last Year

Kaseware sponsored webinar
Schneider Electric sponsored webinar

Events

August 25, 2026

Critical Infrastructure Security Is National Security: Protecting Essential Operations in an Era of Escalating Risk

LIVE: August 25, 2026 at 2 PM EDT Learn why critical infrastructure security has become a national security imperative, and the strategies organizations can adopt to improve visibility, collaboration, and response across their security operations.

August 27, 2026

Leveraging AI & Mobility to Advance Your Security Domain

LIVE: August 27, 2026 at 2 PM EDT Explore how AI-driven cloud security solutions can elevate your security domain enhancing threat detection, streamlining operations, and delivering the resilience modern organizations demand.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products


Alertmedia sponsored webinar

Related Articles

  • ciso

    4 things CISOs need to know about software supply chain security

    See More
  • warehouse.jpg

    9 out of 10 companies detected software supply chain security risks

    See More
  • software supply chain

    A focus on risk in software supply chain security

    See More

Related Products

See More Products
  • security culture.webp

    Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

  • Hospitality Security: Managing Security in Today's Hotel, Lodging, Entertainment, and Tourism Environment

See More Products

Events

View AllSubmit An Event
  • October 16, 2025

    Stronger Together: Elevating Security Through Strategic Partnerships

    ON DEMAND: In the complex and rapidly evolving threat landscape of today, no campus stands secure in isolation. Discover how strategic partnerships can transform fragmented efforts into unified security strategies that protect people, assets, and the institutional mission.
View AllSubmit An Event
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • Newsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2026. All Rights Reserved BNP Media, Inc. and BNP Media II, LLC.

Design, CMS, Hosting & Web Development :: ePublishing