Who it affects: US federal agencies and any software vendors/providers that sell software to the US federal government (directly or through integrators).
Need help with compliance? We can help you navigate your SBOM compliance journey.
Get in TouchOverview
Executive Order 14028 (“Improving the Nation’s Cybersecurity”, issued May 12, 2021) is a binding directive for US federal agencies that kicked off modern US government SBOM adoption. It directs the Department of Commerce to publish minimum elements for an SBOM and directs NIST to issue software supply chain security guidance that includes providing a purchaser an SBOM for each product (directly or by publishing it on a public website).
EO 14028 defines an SBOM as “a formal record containing the details and supply chain relationships of various components used in building software.”
Key Requirements
EO 14028 requires:
- SBOM provision to purchasers - Software vendors must provide an SBOM directly or publish it on a public website
- Supply chain security measures - Enhanced security practices for the software supply chain
- Vulnerability handling process - Processes for identifying and addressing vulnerabilities
What EO 14028 Does NOT Specify
EO 14028 does not specify SBOM field-level requirements. Instead, it defers to the NTIA minimum elements and subsequent guidance for the actual SBOM content requirements.
Practical Implications
If you sell software to the US federal government:
- You must be prepared to provide an SBOM for your products
- Your SBOM should follow the NTIA minimum elements at a minimum
- Consider adopting the CISA 2025 draft guidance for more comprehensive coverage
Official Source
Disclaimer: This page represents our interpretation of the referenced frameworks and standards. While we strive for accuracy, we may have made errors or omissions. This content is provided for informational purposes only and does not constitute legal advice. For compliance decisions, consult the official source documents and seek qualified legal counsel.