GUEST BLOG: Military SBOM adoption -- strengthening software supply-chain security
StorySeptember 03, 2025
The growing adoption of software bills of materials (SBOMs) across military agencies marks a significant step forward in bolstering software supply-chain security.
As military agencies and state departments increasingly prioritize supply chain security, the industry can expect SBOM requirements to become a standard across all public-sector organizations.
Accelerating secure software delivery
The military’s embrace of SBOM mandates represents a positive evolution, marking a shift from a reactive to a proactive security posture. SBOMs will give agencies more oversight into vulnerabilities and guide how to fix them.
However, tool limitations and complexities within government systems pose challenges to SBOM implementation for legacy systems. Many legacy systems within agencies may not easily adapt to generate and maintain accurate SBOMs. Additionally, the maturity and availability of tools to support SBOM generation and analysis can vary.
Organizations must invest in modernizing their software-development processes and adopting tools that can automate SBOM generation and maintenance. Additionally, organizations need to ensure that SBOMs are dynamic and up-to-date. Traditional SBOMs are static snapshots of software components and often do not provide adequate visibility into evolving vulnerabilities. Dynamic SBOMs deliver real-time insights into an organization’s software supply chain and enable teams to take timely action to address emerging threats.
Effectively implementing SBOMs requires a combination of technological advancements, process improvements, and a strategic approach. By investing in modern tools and methodologies, organizations can streamline the generation and maintenance of SBOMs, ensuring they remain accurate and relevant.
Utilizing AI to develop and maintain SBOMs
Organizations must adopt automated processes to maximize SBOM effectiveness. By automating SBOM creation and integrating it with security assessment tools for vulnerability evaluation, organizations can gain an immediate understanding of their software supply chain. Artificial intelligence (AI) amplifies this capability by delivering automated guidance and solutions for security weaknesses.
Combining SBOMs with ongoing vulnerability monitoring enables organizations to detect and resolve emerging risks preemptively. AI can serve a vital role in this workflow, processing extensive datasets to recognize potential security gaps and recommend suitable countermeasures.
Additionally, AI can facilitate the analysis of SBOM information, simplifying risk comprehension and prioritization for security personnel. By automating functions such as vulnerability assessment and update management, AI enables agencies’ security teams to concentrate on higher-level strategic objectives.
Although particular agency requirements may not explicitly reference AI technologies, software engineers have proven the value of incorporating AI throughout the full software-development process. By adopting these innovations, organizations can significantly enhance their software supply-chain security framework and protect critical assets.
The next evolution of software supply-chain security
As with many government-wide initiatives, SBOM adoption will require organizational and cultural changes, including within private-sector partners that work with public agencies. Early adopters are setting a strong precedent for other organizations, particularly within the federal government.
In the upcoming period, it can be expected that virtually all military branches and defense organizations will employ SBOMs to deliver transparency regarding their systems, software-creation processes, and – critically – risk assessment. The growing utilization of SBOMs will support agencies in meeting the “Secure by Design” principles established by the Cybersecurity and Infrastructure Security Agency. Numerous agencies will establish strict SBOM standards and may decline partnerships with those suppliers that are unable to deliver comprehensive SBOMs.
The importance of SBOMs will only continue to grow into the next stage of software development. By embracing SBOMs and leveraging advanced technologies like AI, military agencies and the broader public sector will see strengthened supply-chain security and greater resiliency.
Bob Stevens is VP at GitLab.
GitLab • https://about.gitlab.com/
