At the end of 2020, many organizations and enterprises installed a “regular update” for their network management software.
Hidden within that update file, however, was malicious code planted by attackers.
Through that backdoor, the compromise quickly spread across government agencies and private companies alike.
This incident is now known as “the SolarWinds supply chain attack.” The following year, in 2021, came another supply chain based ransomware attack targeting Kaseya VSA.
Together, these events made one stark fact impossible to ignore: the most trusted part of the supply chain can become the most dangerous entry point.
From Regulation to Common Language “The Rise of SBOM”
These incidents prompted action at the government level.
On May 12, 2021, the U.S. government issued Executive Order 14028, elevating software supply chain security to national priority.
Among its key initiatives, it introduced the Software Bill of Materials (SBOM) as an essential tool for software transparency.
In the U.S. federal procurement domain, this policy evolved into concrete requirements that all software supplied to the government must be developed and managed under secure practices. The Cybersecurity and Infrastructure Security Agency (CISA) has since developed frameworks to ensure compliance. Other sectors soon followed. The U.S. Food and Drug Administration (FDA) incorporated SBOM submissions into its cybersecurity guidelines for medical device manufacturers.
In Europe, the forthcoming Cyber Resilience Act (CRA) mandates that manufacturers identify and document components within their products and maintain a machine-readable SBOM throughout the product lifecycle.
Japan’s Ministry of Economy, Trade and Industry (METI) also released an SBOM adoption guide, aligning with the growing global trend of requiring SBOMs in public procurement and commercial contracts.
What began as a regulatory obligation is now evolving into a business standard.
Private Companies Start Demanding SBOMs
Supply chain attacks were never just a problem for governments.
As cybersecurity incidents multiplied, private companies realized that maintaining SBOMs only for internally developed software was not enough visibility must extend across suppliers and all delivered components.
Global telecom operators, recognizing this dependency risk, started requiring suppliers to submit machine-readable SBOMs and to keep them continuously updated. These requirements are now being embedded directly into contracts and security addenda.
For telcos, this is not simply a compliance measure. It’s an operational safeguard. Hackers often target weaker suppliers instead of directly attacking telecom networks. Having suppliers provide SBOMs that document all components and their versions enables faster impact assessments and incident response when new vulnerabilities emerge.
- T-Mobile, for example, specifies SBOM submission in its third-party security policy, using it as a risk management and transparency mechanism across its software supply chain.
- In 2025, AT&T released Supplier Artificial Intelligence Requirements (SAIR) v2.1, mandating SBOM submissions for all deliverables containing AI-generated code, including detailed listings of libraries and modules for each release version.
- European telecom giants such as Orange and Deutsche Telekom enforce similar contractual SBOM obligations.
Following significant security breaches in 2025, Korean telecom companies have also recognized the critical importance of SBOM. After a major incident exposed vulnerabilities stemming from unpatched legacy software,
- SK Telecom and KT introduced SBOM requirements across internal and external software, hardware, and vendor ecosystems.
- KT’s December 2025 cybersecurity strategy emphasizes consistent supply chain security and proactive vulnerability management.
Without SBOMs, Exports and Sales Are at Risk
SBOMs are no longer “nice-to-have documentation.” They’re becoming mandatory for business.
Once global telecom and technology leaders began including SBOM clauses in their procurement terms, software and hardware vendors without SBOMs started being excluded from RFPs, PoCs, and contract reviews. In other words, no SBOM means stalled bids and stalled revenue.
With the U.S. and Europe reinforcing supply chain security, this expectation is now standard across government procurement, telecommunications, and cloud service providers. In such an environment, the absence of SBOMs can be treated as missing mandatory submission documents, delaying or even blocking exports and commercial contracts. SBOMs are now both a cybersecurity issue and a business continuity issue.
Beyond Paperwork, The Need for Operational SBOMs
The fact that companies are now demanding SBOMs means one-off, manually created files are no longer sufficient.
What organizations need today are operational SBOMs automatically generated, maintained, and validated as part of continuous software operations.
Modern software pipelines must automatically produce SBOMs in a standard, machine-readable format such as SPDX or Cyclone DX for every release version. They must also be updated whenever components change, ensuring instant visibility when vulnerabilities arise. This process starts with identifying what components are inside your software.
A Software Composition Analysis (SCA) tool automates the detection of open-source components, libraries, and modules, creating accurate SBOMs while mapping known vulnerabilities (CVEs) and risk exposures by version.
Procurement organizations and telecom operators are building platforms that can collect, verify, and exchange these SBOMs across vendors maintaining supply chain visibility and trust throughout the lifecycle.
SBOMs: Generated, Exchanged, and Managed
As SBOM adoption expands, suppliers are no longer asked “Do you have an SBOM?”
The real question is now: “Can you provide an up-to-date, standard-format SBOM for every release?”
Labrador Labs helps companies meet this new reality.
Using Labrador SCA, organizations can generate and validate SBOMs automatically capturing all open-source and commercial components, versions, licenses, and vulnerabilities.
With Labrador SCM launched in March 2024 companies can exchange SBOMs securely and manage supplier compliance at scale.
Today, SBOMs have become a business survival requirement.
Don’t wait until customers demand them; build an operational SBOM system from the start with Labrador Labs’ SCA +SCM solutions for continuous, secure, and sustainable supply chain management.
📌 Built a sustainable supply chain with Labrador today!
Phone: US Office +1 650-278-9253 (Mon–Fri, 9 AM–6 PM)
Email: contact@labradorlabs.ai (1:1 demo requests and pricing inquiries)
[Reference]
https://www.cisa.gov/news-events/alerts/2021/01/07/supply-chain-compromise
https://www.cisa.gov/news-events/alerts/2021/07/02/kaseya-vsa-supply-chain-ransomware-attack
https://www.whitehouse.gov/wp-content/uploads/2022/09/M-22-18.pdf
https://www.fda.gov/media/178547/download
https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX%3A02024R2847-20241120
https://www.t-mobile.com/content/dam/digx/tmobile/us/en/non-dynamic-media/pdf/TISP-600_T-Mobile_Third-Party_Information_Security_Policy.pdf
https://www.t-mobile.com/content/dam/digx/tmobile/us/en/non-dynamic-media/pdf/TISP-600_T-Mobile_Third-Party_Information_Security_Policy.pdf
https://attsuppliers.com/downloads/ATT-Supplier-Artificial-Intelligence-Requirements-V1.pdf
KT Data Breach Apology to Customers and Announcement of Information Security Innovation Measures | SBS Issue Live
https://www.youtube.com/live/_weOlIKXr_s?si=FshTL3yulNT9Acsp