Software bill of materials (SBOMs) have become essential tools in securing today's software supply chains. Their ability to provide a unified, shareable, and machine-readable record of an application's components is invaluable. This is particularly true in the context of cybersecurity, where documenting known vulnerabilities enables organizations to assess and mitigate risks much more quickly than they could without an SBOM.
This value and utility become even clearer when you consider the role they play in the recent wave of emerging cybersecurity legislation. Software supply chains have become increasingly tempting targets for bad actors, because of the far-reaching damage that can be done with just a single point of compromise. SBOMs help mitigate this risk, and the industry is adapting accordingly.
Understandably, the Department of Defense is embracing modern procurement measures as part of its broader strategy. The Software Fast Track (SWFT) initiative specifically seeks to accelerate software acquisition through streamlined cybersecurity assessments and standardized use of SBOMs, supported by independent third-party software security assessments.
SWFT is explicitly focused on accelerating secure software adoption by reducing the time and complexity involved in the Authorization to Operate (ATO) process. It emphasizes consistent, secure, and accelerated risk assessments informed by software-specific supply chain risk management (SCRM) requirements.
As threats evolve, there's growing pressure in federal spaces to rethink procurement processes, potentially shifting toward pre-vetted or security-certified applications to ensure compliance and reduce risk. On the vendor side, companies face the challenge of producing accurate, complete SBOMs, while staying agile enough to meet stringent and evolving federal security requirements. To compete for DoD, GSA, or other federal contracts, they must not only build secure software, but also demonstrate it transparently and reliably.
SBOMs Remain Central to the Future of Safe Software Acquisition
There has been considerable coverage of the current administration's amendments to previous cybersecurity executive orders, particularly regarding sections of Executive Order 14144 that target transparency and security in third-party software applications.
Originally, these sections were meant to:
-
Require machine-readable secure software development attestations
-
Provide high-level artifacts to validate those attestations
-
List providers' Federal Civilian Executive Branch (FCEB) agency software customers
But it's important to note that the revised EO does not remove all requirements around software supply chain transparency. Self-attestation is still a requirement, and this means SBOMs will remain an important, and in Sonatype's view, an indispensable tool. Executive Orders 14028 and 14144 still underscore the need for supply chain transparency.
In fact, the DoD is building an entire software procurement program around SBOMs, which remain the only effective way to exchange information about vulnerabilities in software. The recent emphasis on securing critical infrastructure has only heightened this need. To meet these demands, vendors of these systems are now required to provide detailed information about their applications. SBOMs with VEX information are the answer.
This extends beyond just software. Recent Executive Orders have focused on boosting the industrial base for drones and other dual-use technologies, representing a natural extension of requirements from agencies like DHS, DoD, and FAA, as well as programs such as the National Defense Authorization Act. All of this points to one clear trend: SBOMs are not going away. Instead, they are becoming increasingly central to government applications.
History Shows Our Industry Is Good at Adaptation
It's common that when something new is introduced, the immediate reaction is resistance. This is usually on the basis of the cost or time needed to accommodate the change, but the bottom line is that change is often viewed through perceived costs and effort of adoption. History proves that industries adapt, and the benefits far outweigh the initial challenges.
The current Authority to Operate (ATO) process struggles with inconsistencies across organizations. The staggering amount of paperwork required and layers of bureaucracy result in a buying cycle that could last years, and doesn't do much to actually address the security concerns it's been built on.
The DoD, in an effort to assess the security of its IT systems, issued its first request for information specifically asking organizations how their systems are being designed with cybersecurity in mind. SBOMs present an opportunity to standardize and automate application reviews. Vendors could avoid delays while improving security outcomes. Automated vetting, powered by AI and machine-readable SBOMs, aligns perfectly with the DoD's vision for SWFT, drastically cutting time-to-market for critical applications.
While scaling these efforts requires planning and resources, past advancements in sectors like healthcare and aviation demonstrate that innovation flourishes once new systems are integrated. From FDA-compliant medical devices to FAA-regulated airframe software, standardization has consistently driven progress — in both safety and efficiency.
Here's how the DoD's vision for SWFT leverages technologies like SBOMs to deliver on this promise:
-
Accelerated procurement: By digitizing and automating key processes, SWFT aims to reduce deployment timelines from years to months (or even weeks).
-
Consistency across agencies: Implementing SBOMs enables standardized reviews and streamlined compliance procedures, ensuring clarity for both government and vendors.
-
Enhanced security posture: Combining machine-readable SBOMs with AI-powered analysis allows organizations to preemptively address vulnerabilities and mitigate risks more effectively.
Modernizing Procurement Is about More Than Efficiency
At Sonatype, we've been at the forefront of secure software development, and our recent response to the SWFT Tools Request for Information (RFI) reflects our commitment to advancing these goals. The Sonatype Platform offers an end-to-end solution for open-source software security that seamlessly aligns with SWFT priorities. Notably:
-
Comprehensive compliance: Adheres to guidelines like NIST SP 800-218 (SSDF), EO 14028, and CISA's Secure by Design principles.
-
Certify once, use many times: We simplify compliance by enabling organizations to certify software once and reuse those artifacts across multiple projects.
-
Full life cycle security: From development to deployment, our tools identify vulnerabilities, apply fixes, and operationalize security practices.
By automating critical workflows and integrating tools like SBOMs into the process, SWFT allows agencies and vendors to focus on innovation rather than red tape. For vendors, this is an opportunity to strengthen their capabilities and secure their position within critical government initiatives. For the DoD, it's a chance to build a more agile, resilient defense infrastructure.
The SWFT initiative will redefine software procurement for the Department of Defense, but details are still unfolding. To cut through the noise, join Sonatype's upcoming webinar, "DoD-Ready Software: Navigating the Evolving SWFT Initiative." In this session, our experts will break down the latest draft requirements and provide practical strategies to ensure your software remains compliant and secure through this transition.
Tom Tapley specializes in securing software supply chains for Federal environments, bringing deep expertise in aligning agency security, compliance, and operational requirements with modern technology solutions. With a proven track record in supporting mission-critical systems, he bridges the gap ...
Tags
Comply with SBOM Regulations
Meet regulatory requirements with Sonatype SBOM Manager – a single solution for SBOM monitoring, management, and compliance.