CISA's Supply Chain Integrity Month reminds us of an undeniable truth about modern software development: transparency in software supply chains is no longer optional. The theme of week 4 is "Transparency: Securing Hardware and Software Across the Supply Chain." With more than 90% of modern software applications relying on open source, this message couldn't be more timely. Transparency is at the heart of the current trend in legislative action, which puts a spotlight on the way agencies evaluate, purchase, and monitor software.
Central to this shift is the Software Bill of Materials (SBOM), which plays an important role in secure and trusted software development. Sonatype's own research shows that projects using SBOMs to manage OSS dependencies have a 264-day reduction in mean time to remediate compared to projects that do not utilize them. SBOMs and software composition analysis (SCA) aren't just tools for developers. They're becoming procurement essentials, especially as secure software practices move upstream.
While software manufacturers and suppliers adapt to these new and growing demands for software transparency, SBOMs have emerged as cornerstones of modern acquisition strategies.
Why software transparency matters now
The emphasis on transparency goes hand-in-hand with the Pentagon's Secure Software Acquisition Pathway (SSAP), which emphasizes balancing speed with security, reliability, and transparency in software development and acquisition. For procurement teams, SBOMs are no longer a nice-to-have checklist item; they're pivotal to ensuring safe, compliant acquisitions. This approach not only safeguards national security but also provides agencies a blueprint for resilience, agility, and confidence in the software they acquire.
SBOMs fit the mission
SBOMs provide unmatched visibility into a software's third-party components, versions, licenses, and known vulnerabilities. Here's how they align with critical frameworks and guidance:
-
NIST 800-218 defines secure software development practices, and SBOMs map directly to these requirements by ensuring a transparent software lifecycle.
-
SBOMs fit into CISA's Software Acquisition Guide, providing actionable insights into the risks associated with third-party dependencies and open source software.
The key takeaway? Acquisition security is no longer a one-off activity; it's a lifecycle responsibility. SBOMs make this process feasible, repeatable, and measurable, serving both immediate needs and long-term goals.
SCA as the engine behind SBOM-driven procurement
This is where SCA comes in. SCA automates the identification and tracking of open source components, helping maintain accurate and up-to-date SBOMs. It can also proactively monitor software components from procurement through production, ensuring components that are vulnerable, outdated, or otherwise out of compliance are identified and addressed in real-time.
SCAs make it possible to:
-
Mitigate risks at acquisition by analyzing software integrity and flagging any dangerous dependencies.
-
Stay protected post-deployment by continuously monitoring software compositions during updates and operational use.
Beyond the checklist — Operationalizing software supply chain risk management
Teams across procurement, cybersecurity, and development need a shared language to align around risk management goals. SBOMs create that common ground. One-time SBOMs are useful, but continuous monitoring adds exponential value to software supply chain risk management.
Is your software acquisition process resilient?
Resilient acquisition processes demand more than a compliance checkbox; they require a competitive edge built on transparency and continuous assurance.
Answer the following questions to help you assess your software acquisition approach.
-
Do you require SBOMs from all third-party vendors?
-
Do you scan software components post-deployment?
-
Do you verify the provenance of open-source libraries?
Based on your results, we would love to provide tailored recommendations and connect you to resources to strengthen your approach to acquisition security.
From compliance to confidence with Sonatype
Modern software acquisition isn't just about meeting basic requirements. It's about enabling mission success by building resilient supply chains. At Sonatype, we empower agencies and suppliers to simplify secure acquisition and continuously protect their software ecosystems. An SBOM isn't just a document — it's a gateway to trust, transparency, and operational excellence.
Generate a SBOM for Rich Insights
Get actionable insights by generating a free software bill of materials (SBOM) powered by Sonatype SBOM Manager.
