Global regulators are advancing phased Software Bill of Materials (SBOM) requirements targeting critical manufacturing sectors, requiring plant operators and OT software vendors to catalogue every software component, dependency, patch history, and known vulnerability embedded in industrial control systems. Driven by converging U.S. and European frameworks, the push signals a fundamental shift in how fabricators, process engineers, and procurement managers must manage third-party software risk - particularly within operational technology (OT) and industrial control system (ICS) environments where legacy assets dominate.
Regulatory Background
The foundational mandate traces to U.S. Executive Order 14028, signed in 2021, which required SBOMs for software sold to federal agencies and established a cybersecurity and procurement baseline reinforced by NTIA minimum field requirements. A second executive order, EO 14144, issued in January 2025, expanded compliance requirements and clarified the standards software companies must follow.
In August 2025, CISA released a draft of its updated "2025 Minimum Elements for a Software Bill of Materials," opening a public comment period that closed on October 3, 2025. According to CISA, the draft reflects advances in SBOM tooling and growing adoption maturity since the original 2021 guidance. CISA's 2025 draft introduces required data fields including component hash, license information, tool name, and generation context - expanding SBOMs beyond simple inventory into verifiable security records. Following the comment period's close, CISA is expected to publish a finalized revision of the minimum elements.
On the European side, the EU Cyber Resilience Act (CRA) entered into force in December 2024 and will be fully enforced starting in 2026. Under the CRA, manufacturers must identify, address, and report on vulnerabilities in their products, with mandatory SBOM generation covering all software components - including firmware - from the operating system down to the smallest embedded module. In April 2025, the European Commission formally accepted standardization requests from CEN and CENELEC, setting the technical standards every connected product must meet to enter the European market.
What Manufacturers Must Document
For OT and ICS operators in critical manufacturing, compliance extends well beyond enterprise IT. The National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems specifically targeted OT environments, recognizing their unique exposure. The updated CISA framework aligns with this focus, requiring that SBOMs for industrial systems use machine-processable formats to support integration into broader cybersecurity programs.
CISA and NSA jointly published "A Shared Vision of Software Bill of Materials (SBOM) for Cybersecurity," a document advocating SBOM adoption and endorsed by 19 international cybersecurity organizations. The guidance calls for SBOMs to function as operational decision-support tools - linked to vulnerability exploitability exchange (VEX) data to enable rapid correlation of Common Vulnerabilities and Exposures (CVEs) against installed OT components - rather than static compliance artifacts.
Procurement teams face particular difficulty with proprietary and commercial off-the-shelf (COTS) systems. According to CISA's draft guidance, when vendors cannot or will not provide complete SBOMs for internal or transitive dependencies of proprietary components, asset owners should specify alternative attestations of secure development practices aligned with NIST SP 800-218, or require VEX statements as a priority.
The challenge is acute for plants running aging ICS platforms. Vendors often cannot provide SBOMs for legacy OT systems, leaving asset owners to assume the full security risk - a problem that binary composition analysis (BCA) of compiled executables can partially address without requiring access to original source code. Over 75% of ICS vulnerabilities are estimated to be absent from the National Vulnerability Database (NVD), compounding the difficulty of manual legacy system audits.
Industry Concerns and Enforcement Outlook
Industry groups have raised concerns about the administrative burden of mapping software dependencies across multi-vendor OT environments operating on decades-old upgrade cycles. According to a 2025 CodeSecure analysis, a large percentage of vendors using embedded systems may not be ready for automated CRA compliance, with manual SBOM assembly or static analysis scans insufficient for scalable adherence.
Manufacturing absorbed a 56% surge in ransomware attacks in 2025, with legacy OT systems and supply chain access cited as primary attack vectors. Proponents of the mandates point to this threat landscape as direct justification. Software supply chain attacks increased more than 700% between 2019 and 2022, according to Sonatype research.
Compliance timelines are staggered to ease the transition. South Korea announced a new SBOM mandate in October 2025, with public sector procurement requirements set to take effect in 2027 - aligning the country with the U.S. and EU in treating software components as a critical supply chain risk. In the U.S., CISA is also working to finalize CIRCIA reporting rules by May 2026, further tightening incident disclosure obligations for critical infrastructure operators.
OT vendors, systems integrators, and in-house cybersecurity teams are advised to begin mapping software component inventories now - prioritizing new acquisitions and active development environments before extending to legacy installed base. Alignment with IEC 62443, NIST CSF 2.0, and NIST SP 800-161 supply chain risk management controls will provide the clearest compliance pathway as enforcement dates approach.
