Yes. SBOMs are a foundational requirement of Secure by Design. CISA, the EU Cyber Resilience Act, and US Executive Orders all mandate or strongly recommend SBOMs as essential to building and verifying secure software.
What is Secure by Design?
Secure by Design is a software development philosophy - championed by CISA and endorsed by 19+ international partner agencies - that shifts security responsibility from end users to technology manufacturers. It rests on three core principles:
- Take ownership of security outcomes - manufacturers, not customers, bear responsibility for product security
- Embrace radical transparency - openly share security information, including vulnerabilities and software composition
- Build organizational leadership commitment - security is a board-level priority, not just an engineering concern
The goal is to make products secure out of the box, rather than relying on customers to layer on security after the fact. For a deeper dive, see our post on CISA’s Secure by Design initiative.
Why SBOMs are non-optional
SBOMs are not a nice-to-have under Secure by Design - they are foundational to multiple core principles:
- Radical transparency requires component visibility - you cannot be transparent about your product’s security posture without knowing exactly what components are inside it. An SBOM is the mechanism that provides that visibility.
- Vulnerability response depends on inventory - when a critical vulnerability like Log4Shell or the XZ Utils backdoor is disclosed, SBOMs let you answer “are we affected?” in seconds rather than days.
- Supply chain integrity - SBOMs make every component and dependency traceable, helping detect tampering and ensuring the provenance of your software.
- Compliance mandates it - the EU Cyber Resilience Act, US Executive Order 14028, and CISA’s own guidance all require or strongly recommend SBOMs as part of Secure by Design practices.
Regulatory mandates
Several major frameworks now connect Secure by Design directly to SBOM requirements:
- CISA Secure by Design Pledge - commits signatories to transparency practices that include providing SBOMs and participating in vulnerability disclosure programs
- EU Cyber Resilience Act (CRA) - makes Secure by Design a legal duty for products sold in the EU, with SBOM requirements fully enforceable by September 2027
- US Executive Order 14028 - directs federal agencies to require SBOMs from software suppliers, with NIST’s Secure Software Development Framework (SSDF) reinforcing this
- DoD/Pentagon - requires SBOMs in all new software contracts as of February 2025
For detailed compliance guidance, see our pages on EU CRA compliance, NTIA minimum elements, and CISA framing.
How sbomify helps
sbomify provides the tooling to put Secure by Design into practice:
- Generate and manage SBOMs across your entire product portfolio using sbomify-action
- Automated vulnerability scanning against known CVEs so you can respond to disclosures immediately
- Share compliance artifacts with customers and auditors via your Trust Center
- Track compliance against NTIA, CISA, and CRA requirements with built-in compliance plugins
Get started for free at app.sbomify.com.