����TV

On August 22, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) released its draft guide for Software Bills of Materials (SBOMs) for public comment, signaling a new stage in the journey toward making SBOMs a foundational part of software supply chain security.��

While SBOMs have been discussed in policy circles for a number of years, the new draft reflects an important pivot from theory to operational reality, one that many organizations are already beginning to experience.��

At ����TV, we see SBOMs as part of a broader ecosystem of digital trust. They're not a silver bullet on their own. But in the right context, paired with certificate lifecycle management, code signing, and other integrity controls, SBOMs are already delivering real value and helping organizations reduce supply chain risk.

From theory to real-world value

The question many are asking is: Are SBOMs actually useful in real-world cybersecurity operations, or are they still more theoretical?��

The answer is clear: SBOMs are already proving useful today. A number of organizations are benefiting from what we often describe as the “nutrition label for software” approach. Just as consumers want to know what goes into their food, enterprises want transparency into the components, libraries, and dependencies that make up their software. SBOMs provide that visibility, which in turn helps identify vulnerabilities faster, streamline patch management, and strengthen compliance reporting.��

What’s changing is that SBOMs are evolving from a compliance checkbox into an operational tool. We’re seeing adoption shift toward practical use cases where SBOMs can be queried against vulnerability databases, integrated into DevSecOps pipelines, and used to demonstrate software integrity across the supply chain. For ����TV, SBOMs represent one part of a broader set of solutions that make software integrity verifiable, auditable, and ultimately more trustworthy.

Current challenges in effective SBOM usage

SBOM adoption isn’t without its challenges, especially for federal agencies and regulated industries where SBOMs are quickly becoming a requirement.

1. Content control and transparency

While SBOMs improve visibility, the content is still controlled by the software creator. Before signing and distributing, a vendor could omit certain dependencies, producing what we call a “sanitized SBOM.” Think of it like applying an Instagram filter—what you see may not be the whole picture, which raises questions about completeness and trust.

2.��Incomplete picture of risk

SBOMs list components, but they don’t inherently tell you which of those components are vulnerable. Agencies and enterprises still need additional processes and tooling to cross-reference SBOMs against vulnerability databases to gain a true picture of risk.

3.��Monitoring and lifecycle management

SBOMs must be monitored over time. The threat landscape changes daily, and both producers and consumers need alerts when new vulnerabilities emerge in existing software. This capability is still in its infancy, but service providers are beginning to offer solutions that tie SBOMs to real-time risk intelligence, helping keep everyone honest about patching and updates.

What the 2025 draft gets right

The 2025 CISA draft guide takes an important step forward by addressing one of the biggest limitations that previously held SBOMs back: provenance and integrity.��

Before, there was no definitive way to ensure SBOMs hadn’t been altered once generated. The draft’s introduction of cryptographic component hashes changes that. By requiring a hash for each component, SBOMs can now unambiguously identify software elements and make them verifiable against the original creator’s record. This creates a layer of irrefutability and trust that was previously missing and is essential for operational adoption.��

It's a move that addresses a foundational need: If SBOMs are to be used for vulnerability management and compliance reporting, organizations must have confidence that the information has not been tampered with. The hash requirement is a welcome advancement and a signal that SBOMs are maturing into a tool that can be trusted across the ecosystem.

What’s still missing

While the hash requirement is a milestone, more work remains to make SBOMs fully actionable:��

• Standardization:��Different vendors continue to produce SBOMs in different formats, making interoperability difficult.��

• Integration with vulnerability management:��SBOMs need tighter linkage with vulnerability databases and automation tools to provide real-time insights.��

• Scale and automation:��Organizations need ways to manage SBOMs across thousands of applications and updates without introducing new operational bottlenecks.��

Addressing these challenges will require not only better guidance from agencies like CISA but also broader ecosystem collaboration across vendors, service providers, and enterprises.

The road ahead for SBOMs

SBOMs are no longer just a concept; they’re becoming an operational necessity. The 2025 draft from CISA is an important milestone, strengthening SBOM integrity and laying the groundwork for wider adoption.��

But the real opportunity lies in continuing to build SBOMs into a layered approach to digital trust—paired with certificate lifecycle management, code signing, and crypto-agility strategies that prepare organizations for the post-quantum era.��

At ����TV, we believe in this layered model because no single control will ever be enough. Cyber risk is managed through transparency, accountability, and resilience. SBOMs are a powerful tool in that model, and as standards evolve, we expect their role in real-world cybersecurity operations to only grow stronger.