The EU Cyber Resilience Act is set to become law this year, reinforcing the global trend towards transparency and security in software, whilst providing another compelling reason for cyber professionals to take the Software Bill of Materials (SBOM) very seriously.

Along with the U.S. Whitehouse Executive Order 14028, which mandates the SBOM for government contractors, the new law seeks to inject transparency and higher levels of security into the software supply chain.

As another layer of security, the SBOM is a welcome introduction and aims to give a product manufacturer the evidence that software components are up-to-date, and to provide buyers with a basis for evaluation. Together with continuous assurance, threat validation and lifecycle management, the SBOM is destined to become essential to the protection of networks of thousands or millions of devices and to ensure device manufacturers businesses can prevail to government-based industries.

This transparency not only builds trust but also helps manufacturers to identify vulnerabilities and address them promptly. From the customer's side, SBOM information is a crucial factor, enabling enterprises to choose manufacturers who prioritize transparency and security in their products.

Recognizing the critical role of SBOM compliance is essential for securing IoT ecosystems. It's not just about adhering to regulations but also about embedding robust security practices into the very fabric of device manufacturing and deployment. This approach will help manufacturers and cyber professionals mitigate risks, maintain compliance, and safeguard the integrity of their networks.

Cyber teams running large networks of devices may find the SBOM complicated and burdensome, but they should remember that compliance failures are potentially serious. In Europe, infringements could mean legal sanctions and financial penalties, and in the U.S., the total inability to be a contractor of the U.S. government, its agencies and most critical national infrastructure organizations. The SBOM is fast establishing itself as essential to best practice requirements in many sectors.

In the U.S., the SBOM applies to all organizations producing software. The EU version is aimed at protecting "products with digital elements". Both versions of the SBOM act as a digital inventory, listing all the software elements and their complex dependencies. The burdens are greater in the medical sector where devices are regulated by the FDA in the U.S. and EU Medical Device Regulation in Europe.

Manufacturers must establish clear procedures for tracking and verifying software, collaborating closely with software vendors to ensure components meet the required security standards. Additionally, they need to log data fields for each software component and all the formats for support. It is a huge opportunity to embed zero-trust security into their designs, covering everything from buses to memory and network connections. Verifying the identity of devices and the validity of their SBOMs is becoming central to all IoT cybersecurity. If you can't trust the device, how can you trust the SBOM?

SBOM verification and attestation can include all the software elements from a secure boot, trusted execution environment, virtual machines, hypervisor, and operating systems to application frameworks. Multiple third parties inject software into a device, so the SBOM has to log all the activity in a device's lifecycle - from provisioning onwards. The secure log should also include who will use the SBOM information - the metadata.

To make the SBOM work at the scale of an industrial plant or refinery, organizations need to have automated identity access management and continuous attestation in place for all their hardware, software and networks, from the device up to the cloud or data center.

Organizations need continuous assurance from their device SBOMs, continuously monitoring all their assets and against all their security policies. Since the SBOM is to all intents, a "living thing", it is important for enterprises with extensive device networks to check a device's ID against the SBOM on a constant, recurring basis. Organizations must not validate a device into a network if it does not have a valid SBOM. And when data from devices is flowing somewhere it should not, cyber teams should be alerted

This needs to be part of a more all-encompassing zero-trust approach to identity management across humans, all machines, and those devices that may be outside the firewall and only infrequently online. AI is necessary for this level of continuous authorization, but organizations also need access to external threat intelligence and policy-driven data encryption. This is a more integrated approach to protect against current and future IoT threats, managing the identity of thousands of devices - from provisioning to decommissioning.

The SBOM is destined to be an essential piece of the security armor for IoT networks. In the U.S. and EU, its governmental backers have shown they intend to see through its implementation and enforcement. But software developers, device manufacturers and enterprises operating large networks need not fear the consequences of the SBOM's more widespread introduction.

What they must ensure is that continuous SBOM assurance is fully integrated into a holistic approach to IoT security that employs advanced automation of zero trust at scale. They need to ensure they have a validation solution that can interrogate each device's SBOM, reporting against policy requirements.

Once SBOM and IAM provisioning knit seamlessly with policy-driven data encryption and AI-powered monitoring, they will have a far stronger security posture, with much greater protection for all devices.