Regulators are extending software bill of materials (SBOM) requirements beyond enterprise IT to operational technology assets in critical manufacturing facilities, imposing new compliance obligations on plant operators, OT equipment suppliers, and procurement teams. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) published draft updated guidance in August 2025, while parallel amendments to the IEC 62443 industrial security standard and the EU Cyber Resilience Act (CRA) are tightening SBOM expectations for industrial automation and control systems (IACS) worldwide.
Background
CISA published its draft "2025 Minimum Elements for a Software Bill of Materials" on August 22, 2025, opening a public comment period that closed October 3, 2025. The document updates the baseline established by the National Telecommunications and Information Administration (NTIA) in 2021, which set the original U.S. floor for SBOM data fields. According to CISA, what began as a recommended best practice has become a foundational component of national cybersecurity policy, underpinned by Executive Order 14028, OMB Memorandum M-22-18, and the National Cyber Strategy.
The regulatory trajectory accelerated in January 2025, when Executive Order 14144 mandated machine-readable SBOMs for software sold to federal agencies and required attestations linking SBOMs to secure software development lifecycle practices. In Europe, the EU Cyber Resilience Act, adopted in late 2024, legally requires SBOMs for all products with digital elements sold in the EU market, explicitly including firmware in connected hardware.
The manufacturing sector falls directly in scope. Manufacturing accounts for approximately 38% of global OT cybersecurity deployments, the largest share of any sector. As IT-OT convergence accelerates-connecting PLCs, SCADA systems, distributed control systems, and MES platforms to cloud analytics and edge services-the software supply chain attack surface for these assets has widened substantially.
What the Updated Requirements Cover
CISA's 2025 draft guidance introduces four new mandatory data fields to the SBOM baseline: Component Hash, License Information, Tool Name, and Generation Context. These additions move SBOMs from static component checklists to verifiable, machine-processable security assets. The Component Hash field provides a unique cryptographic identifier for each dependency, reducing ambiguity when packages share names but differ in source or build. The Generation Context field records whether an SBOM was produced pre-build, at build time, or through post-build inspection-a distinction that matters in firmware-heavy OT environments where binary analysis is often the only viable method.
For OT-specific assets, the draft IEC 62443-4-1 amendment goes further. The amendment, currently in public enquiry through May 6, 2026, introduces SBOM as a first-class evaluation artifact within the secure product development lifecycle for IACS components, requiring SBOM validation, SBOM-based vulnerability checks, and binary software composition analysis. The standard covers embedded devices, PLCs, HMIs, network components, and software applications used in industrial automation.
Supply chain risk is a primary driver. Over 12,000 cybersecurity incidents targeting industrial control systems were reported globally in 2024. Nation-state threat groups, including those tracked as targeting firmware and OT supervisory layers, have exploited trusted third-party access paths-precisely the vectors SBOMs are designed to surface. According to industrial security analysts, supply chain vulnerabilities extend risk beyond onsite assets to include third-party integrators, firmware vendors, and cloud maintenance services.
Procurement consequences are already materializing. Industry data indicates that asset owners are making SBOM provision a strict condition during RFQ and vendor qualification processes. According to one SBOM management provider, a Fortune 500 customer was told by a major buyer that it would cease purchasing a product unless an SBOM was provided.
Outlook
OT equipment vendors face the most immediate product roadmap pressure. Draft amendments to IEC 62443-4-1 and IEC 62443-4-2 are in active public comment, and suppliers seeking CRA market access in the EU must align development practices with these standards to demonstrate conformity. With evolving mandates such as EO 14028 and standards like IEC 62443 and NERC CIP-013, organizations must now demonstrate SBOM compliance and continuous monitoring for vulnerabilities.
For plant operators and procurement managers, compliance programs must address three interrelated challenges: generating and maintaining SBOMs across multi-vendor OT environments where source code is frequently unavailable; integrating SBOM data into existing vulnerability management and incident response workflows; and updating supplier contracts to require SBOM delivery in machine-readable formats such as SPDX or CycloneDX. CISA and the NSA, alongside 19 international cybersecurity organizations, published joint guidance in September 2025 urging cross-border SBOM adoption and harmonized technical implementation to reduce complexity and cost for industrial operators. Finalization of CISA's updated minimum elements is expected before the end of 2025.
