GUEST BLOG: The U.S. Army’s SBOM mandate: A catalyst for software supply-chain security

Blog

March 17, 2025

The U.S. Army’s recent mandate for software bills of materials (SBOMs) marks a significant step forward in bolstering software supply-chain security. This proactive measure, driven by President Biden’s 2021 executive order on cybersecurity, aims to improve the visibility and security of software components. As the federal government and the U.S. Department of Defense (DoD) prioritize supply-chain security, we can expect SBOM requirements to become a standard across all military branches.

Navigating the road to secure software

The Army’s SBOM mandate is a positive milestone, signaling that the agency’s security posture is evolving from reactive to proactive. SBOMs will give the Army more oversight into vulnerabilities and guidance on where to fix them.

However, implementing SBOMs for legacy systems can be challenging due to tool limitations and the inherent complexity of agency systems. Many legacy systems within the DoD may not be easily adapted to generate and maintain accurate SBOMs. Additionally, the maturity and availability of tools to support SBOM generation and analysis can vary.

Organizations must invest in modernizing their software-development processes and adopting tools that can automate SBOM generation and maintenance. Additionally, they must ensure that SBOMs are dynamic and up-to-date. Traditional SBOMs are static snapshots of software components and may not provide adequate visibility into evolving vulnerabilities. By adopting dynamic SBOMs, organizations can gain real-time insights into their software supply chain and take timely action to address emerging threats.

Effectively implementing SBOMs requires a combination of technological advancements, process improvements, and a strategic approach. By investing in modern tools and methodologies, organizations can streamline the generation and maintenance of SBOMs, ensuring they remain accurate and relevant.

Leveraging AI to power dynamic SBOMs

The implementation of SBOMs can be supercharged by automating the process; by automating SBOM generation and integrating it with security scanning tools for vulnerability analysis, organizations can gain real-time insights into their software supply chain. Artificial intelligence (AI) further enhances this process by providing automated recommendations and remediation for vulnerabilities.

Integrating SBOMs with continuous vulnerability scanning enables organizations to identify and address emerging threats proactively. AI can play a crucial role in this process, analyzing vast amounts of data to identify potential vulnerabilities and suggest appropriate mitigation strategies.

Furthermore, AI can help streamline the interpretation of SBOM data, making it easier for security teams to understand and prioritize risks. By automating tasks like vulnerability analysis and patch management, AI can free up security teams to focus on more strategic initiatives.

While the Army’s memo didn’t explicitly mention AI, software developers have demonstrated the benefit of integrating AI into the entire software-development life cycle. By embracing these technologies, agencies can significantly improve their software supply-chain security posture and protect critical assets.

The future of software supply-chain security

As with many department-wide mandates, the Army’s SBOM memo will require organizational and cultural changes, including within private-sector partners that work with the Army. The Army’s mandate sets a strong precedent for other organizations, particularly within the federal government.

As we go through 2025, we can expect most, if not all, military branches will utilize SBOMs to provide transparency into defense systems, software-development processes, and – most importantly – risk. The increased adoption of SBOMs will assist defense agencies in aligning with Secure by Design guidance set forth by the Cybersecurity and Infrastructure Security Agency (CISA): Secure by Design is an initiative introduced by CISA in 2024 to encourage software manufacturers to prioritize security throughout the software development life cycle. Many agencies will develop stringent SBOM requirements and may refuse to work with vendors that can’t provide SBOMs.

As the software-development landscape continues to evolve, the importance of SBOMs will only grow. By embracing SBOMs and leveraging advanced technologies like AI, agencies can build more secure and resilient software supply chains.

Joel Krooswyk is the Federal CTO at GitLab.

GitLab • https://about.gitlab.com/