An SBOM (Software Bill of Materials) is a comprehensive inventory of all components, libraries, and dependencies used in a software application. It provides transparency into the software supply chain, enabling organizations to identify vulnerabilities, ensure license compliance, and meet regulatory requirements.

Why is SBOM important for defense contractors?

Defense contractors must demonstrate complete supply chain transparency under Executive Order 14028 and DoD requirements. SBOMs enable rapid vulnerability response, prevent compromised component infiltration, and provide auditable proof of software composition for Authority to Operate (ATO) packages.

What formats are used for SBOM?

The two primary SBOM formats are SPDX (Software Package Data Exchange) maintained by the Linux Foundation, and CycloneDX maintained by OWASP. Both provide machine-readable representations of software components, but CycloneDX is more focused on security use cases while SPDX emphasizes license compliance.

What is SBOM (Software Bill of Materials)? | Alterra Solutions Glossary

Why it matters

The SolarWinds and Log4j incidents demonstrated how supply chain attacks can compromise thousands of organizations simultaneously. SBOMs are now mandated by Executive Order 14028 for software sold to the US federal government, making them essential for defense contractors and enterprises.

What is an SBOM?

A Software Bill of Materials (SBOM) is a formal, structured list of all the components that make up a software product. Think of it as a "nutrition label" for software—it tells you exactly what ingredients went into the product you're consuming.

An SBOM typically includes:

Component names and versions
Supplier/author information
Dependency relationships (what depends on what)
License information
Cryptographic hashes for integrity verification
Known vulnerabilities (CVE references)

SBOM Formats

Two primary standards have emerged for SBOM representation:

Format	Maintainer	Focus	Best For
SPDX	Linux Foundation	License compliance	Open source projects
CycloneDX	OWASP	Security use cases	Defense & enterprise

Regulatory Requirements

Executive Order 14028 (US)

Signed in May 2021, this order mandates that any software sold to the federal government must include an SBOM. NTIA (National Telecommunications and Information Administration) provides the minimum elements required.

DoD Requirements

The Department of Defense requires SBOMs as part of the Secure Software Development Framework (SSDF) and for Authority to Operate (ATO) packages. Defense contractors must demonstrate:

Complete component inventory
Vulnerability status of all dependencies
Provenance verification (where components came from)
Integrity verification (cryptographic hashes)

SBOM Generation Tools

Several tools can automatically generate SBOMs from your codebase:

Syft (Anchore) – Supports SPDX and CycloneDX
Trivy (Aqua Security) – Combines SBOM with vulnerability scanning
SBOM Tool (Microsoft) – .NET ecosystem focused
cdxgen – CycloneDX generator for multiple languages

SBOM in Air-Gapped Environments

For air-gapped deployments, SBOMs are critical because:

Dependencies cannot be fetched at runtime—everything must be pre-vendored
Vulnerability scanning must happen before deployment, not continuously
Physical media transfers require documented component manifests
Audit requirements demand proof of what was deployed

Alterra's Approach

At Alterra Solutions, every software delivery includes a complete, cryptographically signed SBOM. Our build pipeline generates CycloneDX documents as part of the CI/CD process, and these artifacts are verified at deployment time—even in offline environments.

For classified environments, we provide SBOMs in both digital and printed formats, suitable for inclusion in ATO documentation packages.