Back to GRC

SBOM requirements in 2026: what regulators and buyers actually expect

Photo: Unsplash

SBOM requirements in 2026: what regulators and buyers actually expect

SBOM requirements used to be a U.S. federal procurement concern. In 2026 they show up in FDA submissions, EU product regulation, defense contracts, and—most often for SaaS companies—enterprise vendor security reviews. Teams that treat SBOMs as a one-off document scramble every time a new request lands; teams that generate them per release answer in minutes.

This guide covers:

  • The NTIA minimum elements every SBOM is typically measured against
  • Which regulations and frameworks reference SBOMs today
  • What enterprise buyers actually ask for in questionnaires
  • A practical path to meeting SBOM requirements without new headcount
  • Mistakes that make SBOM programs fail quietly

Reading the fine print

GIF via GIPHY

Related guides:


Key takeaways

  • The NTIA minimum elements (supplier, component name, version, unique IDs, dependency relationships, author, timestamp) are the de facto baseline for "a real SBOM."
  • EO 14028, FDA premarket guidance, and the EU Cyber Resilience Act all reference SBOMs—each with different scope and depth expectations.
  • Enterprise buyers commonly request SBOMs per major release, delivered in SPDX or CycloneDX.
  • Meeting requirements is mostly an automation problem: generate in CI, store with release artifacts, and define a sharing process.
  • SecureSlate turns SBOM practices into reusable evidence for audits and security questionnaires.

The NTIA minimum elements

The NTIA's 2021 "Minimum Elements for a Software Bill of Materials" remains the reference point most requesters use. It defines three categories:

Category Elements What "good" looks like
Data fields Supplier, component name, version, unique identifiers, dependency relationships, SBOM author, timestamp Every component resolvable to a CVE-matchable identifier (PURL/CPE)
Automation support Machine-readable format SPDX or CycloneDX in JSON—not a PDF or spreadsheet
Practices and processes Frequency, depth, known unknowns, distribution, access control New SBOM per release; transitive dependencies included; gaps declared

The "known unknowns" element matters more than teams expect: an SBOM that explicitly states where its visibility ends is typically treated as more credible than one that silently omits sections of the dependency tree.


Regulations that reference SBOMs

Regulation / program Who it affects SBOM expectation
EO 14028 / OMB M-22-18 Vendors selling software to U.S. federal agencies SBOM on request, plus secure development attestation (CISA form)
FDA Section 524B Medical device manufacturers ("cyber devices") SBOM covering commercial, open source, and off-the-shelf components in premarket submissions
EU Cyber Resilience Act Products with digital elements sold in the EU Machine-readable SBOM of at least top-level dependencies, available to market surveillance authorities
DoD / defense supply chain Defense contractors and subcontractors SBOM clauses increasingly appearing in contracts alongside CMMC obligations
PCI DSS 4.0 (6.3.2) Organizations handling cardholder data An inventory of bespoke and custom software components—an SBOM satisfies this cleanly

If you sell into several of these markets, resist the urge to build separate processes. One automated SBOM pipeline typically satisfies all of them with format and depth adjustments.


What enterprise buyers ask for

In vendor security reviews, SBOM requests commonly look like:

  • "Provide an SBOM for the product in scope" — expect SPDX or CycloneDX JSON
  • "Describe your process for maintaining component inventories" — they want cadence and ownership, not a one-time export
  • "How do you identify and remediate vulnerable components?" — SBOM plus vulnerability correlation and SLAs
  • "Do you provide VEX documents?" — increasingly common; see our VEX guide

Buyers rarely read every line of your SBOM. They check that it exists, that it is fresh, that it is machine-readable, and that your answers about process are consistent with it.


How to meet SBOM requirements

  1. Inventory your products and decide which artifacts need SBOMs (customer-facing services, distributed binaries, container images).
  2. Generate in CI per release using tools that emit SPDX and CycloneDX.
  3. Include transitive dependencies—top-level-only SBOMs fail most buyer reviews.
  4. Store SBOMs versioned alongside release artifacts with retention matching your contract obligations.
  5. Define a sharing workflow: who approves external SBOM requests, under what terms (NDA, portal, trust center).
  6. Document the process in your secure SDLC policy so auditors can test it—see our secure SDLC policy guide.

Common mistakes

  • One-time SBOMs generated for a single deal, stale within a sprint
  • PDF or spreadsheet SBOMs that fail the machine-readability expectation
  • Top-level dependencies only, hiding the transitive tree where most vulnerabilities live
  • No named owner for inbound SBOM requests, so responses take weeks
  • SBOMs disconnected from vulnerability management—an inventory nobody queries during incidents

SBOM requirements with SecureSlate

SecureSlate maps your SBOM and secure development practices to SOC 2, ISO 27001, PCI DSS, and customer questionnaires—so one pipeline satisfies auditors, regulators, and enterprise buyers from a single source of truth.

Get started for free · Free readiness score


FAQ: SBOM requirements

Is there one universal SBOM requirement?

No. The NTIA minimum elements are the common baseline, but each regulator and buyer adds scope details—depth of dependencies, format, delivery mechanism, and update cadence vary.

Do SaaS companies need SBOMs if they don't ship binaries?

Increasingly yes. Enterprise buyers request SBOMs for hosted services during due diligence, and U.S. federal customers may require them regardless of delivery model.

What format should we deliver?

SPDX or CycloneDX in JSON. Generate both if your tooling allows—it avoids re-work when different customers ask for different formats.

How deep must the dependency tree go?

The NTIA baseline expects at least top-level with known unknowns declared, but mature programs include full transitive dependencies because that is where most exploitable components sit.

Are SBOM attestations the same as SBOMs?

No. Attestations (like the CISA secure software development attestation) are statements about your practices; the SBOM is the component inventory itself. Federal buyers may ask for both.


Disclaimer (legal note)

SecureSlate is not a law firm, and this article does not constitute legal advice or create an attorney-client relationship. Security and compliance obligations vary by industry, contract, and jurisdiction—consult qualified counsel as needed.

Need compliance without the complexity?

SecureSlate automates ISO 27001, SOC 2, GDPR, HIPAA, and more. Built for growing teams. See it in action.

No credit card required

Filed under:

Author: SecureSlate Team

4.8(187 reviews)

Keep reading

Jul 5, 2026 · GRC

Acceptable Use Policy: template, requirements, and audit evidence for 2026

Jul 5, 2026 · GRC

AI Governance Policy: template, requirements, and audit evidence for 2026

Jul 5, 2026 · GRC

Asset Management Policy: template, requirements, and audit evidence for 2026

View more posts
Jamie
Virtual Agent

Hi! I'm Jamie. Curious about your current compliance challenges and how automation might help your team?