Software Bill of Materials (SBOMs) have become indispensable in in automotive cybersecurity programs that prioritize robust risk management.

What's driving this increasing significance in SBOMs? What regulatory mandates have they influenced? What are some of the challenges large automotive manufacturers face in implementing SBOMs? What are some best practices for SBOM adoption and usage?

Read on for our take: 

Understanding SBOMs

An SBOM records all components, libraries, and dependencies used in a software product. SBOMs increase transparency into product and software supply chain security by enabling continuous visibility into the potential vulnerabilities.

SBOMs are crucial for compliance and risk management, enabling organizations to meet cybersecurity regulations and mitigate risks. SBOMs also facilitate software lifecycle management, allowing for the tracking of components throughout the development process.

In the automotive industry, SBOMs are vital for ensuring the security and integrity of software supply chains.

Regulatory Landscape

Several regulations mandate the use of SBOMs in automotive software:

  • 2019: UNECE WP.29 Cybersecurity Regulation mandates SBOMs.
  • 2021: Executive Order 14028 requires SBOMs for software procured by US federal agencies.
  • 2022: VDA Automotive Cybersecurity Guidelines introduce SBOM requirements.
  • 2023: ISO/SAE 21434 Automotive Cybersecurity Standard recommends SBOMs.
  • 2024 (expected): EU Cyber Resilience Act (EU CRA) to mandate SBOMs for connected devices.
  • 2025 (expected): China’s Automotive Cybersecurity Regulations to include SBOM requirements.

Challenges in Managing SBOMs

Organizations face several internal and external pressures in managing SBOMs:

Internal Pressures

  • Numerous teams are building software and SBOMs for various reasons, leading to scalability issues.
  • Misalignment between product groups and security teams on SBOM ownership and outcomes.

External Pressures

  • Rapidly outdated SBOMs.
  • Overwhelming customer demand for SBOMs to meet security requirements.
  • Regulatory demands driving SBOM adoption.
  • Insufficient resource investment in continuous SBOM management.

Supplier SBOM Generation and Management

Managing SBOMs involves several steps:

  1. Supplier SBOM Generation: Software suppliers create and share SBOMs, including details about included software, dependencies, and known vulnerabilities.
  2. SBOM Ingestion & Validation: Automotive OEMs ingest and validate SBOMs from suppliers, ensuring their integrity and authenticity.
  3. SBOM Analysis & Vulnerability Management: In-house cybersecurity teams analyze SBOMs to identify and mitigate potential risks.
  4. SBOM Integration & Traceability: Integrating SBOMs into the software development lifecycle ensures component traceability throughout the product lifecycle.
  5. SBOM Maintenance & Updates: Regular updates to SBOMs ensure accurate and up-to-date information for ongoing cybersecurity risk management.

Overcoming Challenges with Supplier SBOMs

When automotive organizations request SBOMs from their suppliers, challenges often arise:

  • Lack of visibility into code, dependencies, and legacy components.
  • Inconsistent tools and formats across suppliers.
  • SBOMs viewed as proprietary intellectual property.

To address these challenges, industry-wide standardization, clear guidelines, and a collaborative approach are necessary to promote transparency and trust in the software supply chain.

Promoting SBOM Adoption

To drive SBOM adoption among suppliers, automotive organizations should:

  • Highlight the Benefits: Emphasize how SBOMs enhance automotive cybersecurity and streamline compliance efforts.
  • Set Clear Requirements: Include SBOM requirements in RFPs and contracts.
  • Leverage Purchasing Power: Use collective purchasing power to drive SBOM adoption among suppliers.
  • Share Best Practices: Collaborate with suppliers to promote industry-wide SBOM standards and best practices.

Best Practices for Requesting SBOMs

To effectively request SBOMs from suppliers, automotive organizations should:

  • Identify the supplier network and determine the scope of SBOM requests.
  • Establish legal agreements (NDAs) for sharing sensitive information.
  • Clearly communicate SBOM requirements, including expected details and formats.
  • Provide technical guidance and support to suppliers.
  • Maintain open communication to address any questions or concerns.

Establishing an SBOM Policy

Organizations should define guidelines for creating, managing, and sharing SBOMs throughout the software supply chain. This includes conducting a comprehensive inventory of third-party software, developing SBOM consumption and analysis capabilities, implementing governance and access controls, selecting appropriate SBOM generation tools, and integrating SBOM generation into development processes. Continuous monitoring and improvement of SBOM practices are essential to align with evolving industry standards and regulations.


Incorporating SBOMs into automotive cybersecurity strategies is vital for managing risks and ensuring compliance. By understanding regulatory requirements, overcoming challenges, promoting adoption, and following best practices, organizations can enhance their cybersecurity posture and achieve greater transparency in their software supply chain.

For more information on how to effectively implement SBOMs in the automotive industry and enhance your organization’s cybersecurity, contact Finite State at or check out our informative guide, linked below: 

TAG CASE Report Cover SS

Read Our Guide!