Federal Government agencies, Energy Companies and other critical infrastructure operators will be looking to utilize SBOM's in software supply chain risk assessments, when the new executive order (see link below from Reuters) is published this coming shortly. Testing can begin now with either SPDX Tag/Value or CycloneDX XML SBOM formats; both are supported in NTIA's SBOM initiative. Energy Central hosted a PowerSession on best practices for software supply chain risk assessments that contains some very useful information for parties interested in using SBOM's. This session is available on demand.
This PowerSession clearly shows the good benefits that SBOM's provide NOW as part of a software supply chain risk assessment. The bad guys will continue to exploit opportunities to cause harm - we must implement defensive tactics today to prevent them from succeeding. Requesting that software vendors provide SPDX Tag/Value or CycloneDX XML SBOM's, which are available and implemented in tools today, with each software release, including patches, for use within a software supply chain risk assessment, before any attempt to install a software package, is a prudent and beneficial defense that is available NOW to help identify, detect and mitigate software supply chain risks. Waiting for the perfect SBOM to arrive will only give the bad guys more opportunity to attack knowing the victims are not putting to good use the defensive measures that are available NOW with today's SBOM's and tools.