Who it affects: US federal agencies and any software vendors/providers that sell software to the US federal government (directly or through integrators).
Need help with compliance? We can help you navigate your SBOM compliance journey.
Get in TouchOverview
Executive Order 14028 (“Improving the Nation’s Cybersecurity”, issued May 12, 2021) is a binding directive for US federal agencies that kicked off modern US government SBOM adoption. It directs the Department of Commerce to publish minimum elements for an SBOM and directs NIST to issue software supply chain security guidance that includes providing a purchaser an SBOM for each product (directly or by publishing it on a public website).
EO 14028 defines an SBOM as “a formal record containing the details and supply chain relationships of various components used in building software.”
Key Requirements
EO 14028 requires:
- SBOM provision to purchasers - Software vendors must provide an SBOM directly or publish it on a public website
- Supply chain security measures - Enhanced security practices for the software supply chain
- Vulnerability handling process - Processes for identifying and addressing vulnerabilities
What EO 14028 Does NOT Specify
EO 14028 does not specify SBOM field-level requirements. Instead, it defers to the NTIA minimum elements and subsequent guidance for the actual SBOM content requirements.
Policy Updates (2025–2026)
EO 14028 itself has not been rescinded and remains in effect. However, the implementing guidance has changed significantly:
EO 14144 (January 2025): The Biden administration issued EO 14144 to strengthen EO 14028 with more rigorous third-party attestation requirements, including mandatory machine-readable attestations submitted to CISA, high-level artifacts such as SBOMs, and centralized validation.
EO 14306 (June 2025): The Trump administration rescinded key portions of EO 14144, removing the enhanced attestation mandates, the requirement for vendors to provide SBOMs as “high-level artifacts,” the CISA centralized validation role, and several other provisions. NIST guidance updates (SP 800-53, SP 800-218) and FedRAMP requirements were retained.
OMB Memorandum M-26-05 (January 2026): OMB rescinded Memorandums M-22-18 and M-23-16, which had required agencies to obtain standardized self-attestation forms from software vendors. The new approach allows each agency to develop its own risk-based assurance processes. The universal attestation requirement is now optional — agencies may use CISA’s common form at their discretion. Notably, M-26-05 states that agencies adopting contractual terms for cloud service providers should specify that the producer must provide an SBOM of the runtime production environment upon request.
What This Means in Practice
The shift is from a centralized, one-size-fits-all attestation mandate to a decentralized, agency-led approach:
- EO 14028’s core SBOM and supply chain security principles remain in effect
- Agencies are no longer required to use the standardized CISA attestation form — but they may choose to
- Agencies can now tailor their assurance requirements to their specific risk profiles
- SBOMs remain relevant — agencies may require them contractually, and M-26-05 specifically encourages SBOM requirements for cloud service providers
- Your SBOM should still follow the NTIA minimum elements at a minimum
Official Sources
- Executive Order 14028 – Improving the Nation’s Cybersecurity (2021)
- OMB Memorandum M-26-05 (January 2026)
- OMB Rescinds Biden-Era Software Security Requirements (Davis Wright Tremaine analysis)
- Trump Reverses Key Directives of Biden Cyber Executive Order (Davis Wright Tremaine analysis)
Disclaimer: This page represents our interpretation of the referenced frameworks and standards. While we strive for accuracy, we may have made errors or omissions. This content is provided for informational purposes only and does not constitute legal advice. For compliance decisions, consult the official source documents and seek qualified legal counsel.