Draft:Transparency in Software Supply Chain

Review waiting, please be patient.

This may take 4 weeks or more, since drafts are reviewed in no specific order. There are 1,687 pending submissions waiting for review.

If the submission is accepted, then this page will be moved into the article space.
If the submission is declined, then the reason will be posted here.
In the meantime, you can continue to improve this submission by editing normally.

Where to get help

If you need help editing or submitting your draft, please ask us a question at the AfC Help Desk or get live help from experienced editors. These venues are only for help with editing and the submission process, not to get reviews.
If you need feedback on your draft, or if the review is taking a lot of time, you can try asking for help on the talk page of a relevant WikiProject. Some WikiProjects are more active than others so a speedy reply is not guaranteed.

How to improve a draft

Wikipedia:Contributing to Wikipedia – a basic overview on how to edit Wikipedia.
Help:Wikitext – how to use the markup
Help:Referencing for beginners – how to include references
Wikipedia:Article development – how to develop your article
Wikipedia:Writing better articles – how to improve your article
Wikipedia:Verifiability – make sure your article includes reliable third-party sources

You can also browse Wikipedia:Featured articles and Wikipedia:Good articles to find examples of Wikipedia's best writing on topics similar to your proposed article.

Improving your odds of a speedy review

To improve your odds of a faster review, tag your draft with relevant WikiProject tags using the button below. This will let reviewers know a new draft has been submitted in their area of interest. For instance, if you wrote about a female astronomer, you would want to add the Biography, Astronomy, and Women scientists tags.

Add tags to your draft

Editor resources

Easy tools: Citation bot (help) | Advanced: Fix bare URLs

Reviewer tools

Instructions · What links here · Transparency in Software Supply Chain (talk: + · bio) · (log) · Copyvios report · reFill · Citation Bot · (Search: Google, Wikipedia) · Submitted 6 days ago by Cyberkiborg (talk: D · +) · Last edited 16 hours ago by Citation bot

Transparency in the software supply chain is the disclosure of information about software components, their relationships, origins, and development methods for risk management, vulnerability detection, and compliance throughout the software lifecycle.^[1]^[2]^[3] Transparency allows developers, suppliers, customers, and government agencies to gain insight into the composition and origin of software products to better assess their reliability and security.

Software supply chain transparency covers open source and third-party components, proprietary code, build systems, and distribution mechanisms. It includes keeping track of components and metadata (e.g., using a Software Bill of Materials), including versions, origins, and the development and security practices used.^[4]^[5]

History

Technical formats for documenting software components, such as SPDX (published in 2011)^[6] and CycloneDX (published in 2017),^[7] existed before the concept of software supply chain transparency emerged. These formats were created to comply with license agreements and maintain tool compatibility, and their gradual development led to the emergence of the concept of transparency, which includes component documentation, disclosure practices, risk management, and legal compliance.^[8]

2018 — The U.S.' NTIA launches a multilateral process on the transparency of software components.^[9]
2021, May 12 — US President Joe Biden's Executive Order 14028 on Improving the Nation's Cybersecurity of May 12, 2021 requires federal agencies to increase supply chain transparency, including SBOM requirements.^[10]
2021, July 12 — NTIA publishes The Minimum Elements For a Software Bill of Materials (SBOM).^[11]
2021–2025 — CISA updates Framing Software Component Transparency with expanded SBOM metadata and operational guidance.
2025, September 3 — METI and Japan NCO, with 15 countries, issue "A Shared Vision of SBOM for Cybersecurity".^[12]
2025 — The EU Cyber Resilience Act requires manufacturers to create, maintain, and retain SBOMs for software marketed in the EU.^[13]

Software Bill of Materials (SBOM)

A Software Bill of Materials (SBOM) is a structured list of components, libraries, and tools for creating and distributing a software product.^[14] In software supply chains, an SBOM documents all components, both open-source and proprietary.^[15]^[16] SBOMs support component version verification, enabling license and vulnerability analysis and rapid response to the latter, ensuring risk management.

Under Executive Order 14028, U.S. federal agencies require software suppliers to provide SBOMs for government-procured software.The list of minimum required SBOM elements defined by NTIA includes three main categories: required data fields for describing each component (name, version, identifiers), automation support (machine-readable format, generation tools), and recommendations for creating SBOMs during development and purchasing.^[4]^[17]

Adoption

Policy-driven SBOMs in open source: 0.56 % of popular GitHub repositories contain SBOMs created in accordance with formal security or compliance policies.^[18]
SBOM in projects: Less than 50% of the software projects studied include SBOM in releases or version control systems, with many SBOMs being incomplete or not conforming to standards.^[19]
Enterprise adoption: 60–76% of enterprises require SBOMs from suppliers or integrate them into procurement risk management.^[20]
IT security products: TRACS 2025 defines SBOM availability as a parameter for evaluating cybersecurity software. Currently, only a few enterprise products provide publicly available SBOMs.^[21]

References

^ "Cyber Resilience Act". EUR-Lex. 20 November 2024.
^ "Request for Comment on 2025 Minimum Elements for a Software Bill of Materials" (PDF). DEPARTMENT OF HOMELAND SECURITY.
^ "Framing Software Component Transparency: Establishing a Common Software Bill of Materials (SBOM)" (PDF). National Telecommunication and Information Administration. 2021-10-21.
^ ^a ^b "The Minimum Elements For a Software Bill of Materials (SBOM)" (PDF). NTIA.
^ "The SEI SBOM Framework: Informing Third-Party Software Management in Your Supply Chain". www.sei.cmu.edu. 2023-11-06. Retrieved 2026-01-23.
^ "SPDX Workgroup Releases Software Package Data Exchange Standard to Widespread Industry Support - Linux Foundation". www.linuxfoundation.org. Retrieved 2026-01-21.
^ "CycloneDX joins OWASP as a flagship project | OWASP Foundation". owasp.org. Retrieved 2026-01-21.
^ Wang, Chengjie; Wu, Jingzheng; Lyu, Hao; Ling, Xiang; Luo, Tianyue; Wu, Yanjun; Zhao, Chen (2026). "A Large Scale Empirical Analysis on the Adherence Gap between Standards and Tools in SBOM". ACM Transactions on Software Engineering and Methodology 3788692. arXiv:2601.05622v1. doi:10.1145/3788692.
^ "Multistakeholder Process on Promoting Software Component Transparency". Federal Register. 2018-06-07. Retrieved 2026-01-21.
^ "Executive Order 14028 SBOM Requirements". Sbomify. Retrieved 2026-01-21.
^ Street, Arch (2021-07-12). "Software Bill of Materials Minimum Elements Defined by NTIA". View from Arch Street. Retrieved 2026-01-21.
^ Poireault, Kevin (2025-09-05). "US and 14 Allies Release Joint Guidance on Software Bill of Materials". Infosecurity Magazine. Retrieved 2026-01-21.
^ "EU CRA SBOM Requirements: Overview & Compliance Tips". Anchore. Retrieved 2026-01-21.
^ "For Good Measure Counting Broken Links: A Quant's View of Software Supply Chain Security" (PDF). USENIX ;login. Archived (PDF) from the original on 2022-12-17. Retrieved 2022-07-04.
^ "[Part 2] Code, Cars, and Congress: A Time for Cyber Supply Chain Management". Archived from the original on 2015-06-14. Retrieved 2015-06-12.
^ "Software Bill of Materials". ntia.gov. Archived from the original on 2022-11-30. Retrieved 2021-01-25.
^ "Automating compliance tooling" (PDF). NTIA. 17 June 2021.
^ Novikov, Oleksii; Fucci, Davide; Adamov, Oleksandr; Mendez, Daniel (2025-09-01), Policy-driven Software Bill of Materials on GitHub: An Empirical Study, arXiv:2509.01255
^ Nocera, Sabato; Romano, Simone; Di Penta, Massimiliano; Francese, Rita; Scanniello, Giuseppe (2025-12-01). "On the adoption of software bill of materials in open-source software projects". Journal of Systems and Software. 230 112540. doi:10.1016/j.jss.2025.112540. ISSN 0164-1212.
^ Ian Barker (2023-08-03). "Supply chain worries drive adoption of SBOMs". BetaNews. Retrieved 2026-01-17.
^ "TRANSPARENCY REVIEW AND ACCOUNTABILITY IN CYBER SECURITY 2025" (PDF). WKO.

[1] "Cyber Resilience Act". EUR-Lex. 20 November 2024.

[2] "Request for Comment on 2025 Minimum Elements for a Software Bill of Materials" (PDF). DEPARTMENT OF HOMELAND SECURITY.

[3] "Framing Software Component Transparency: Establishing a Common Software Bill of Materials (SBOM)" (PDF). National Telecommunication and Information Administration. 2021-10-21.

[NTIA-Minimum-4] "The Minimum Elements For a Software Bill of Materials (SBOM)" (PDF). NTIA.

[5] "The SEI SBOM Framework: Informing Third-Party Software Management in Your Supply Chain". www.sei.cmu.edu. 2023-11-06. Retrieved 2026-01-23.

[6] "SPDX Workgroup Releases Software Package Data Exchange Standard to Widespread Industry Support - Linux Foundation". www.linuxfoundation.org. Retrieved 2026-01-21.

[7] "CycloneDX joins OWASP as a flagship project | OWASP Foundation". owasp.org. Retrieved 2026-01-21.

[8] Wang, Chengjie; Wu, Jingzheng; Lyu, Hao; Ling, Xiang; Luo, Tianyue; Wu, Yanjun; Zhao, Chen (2026). "A Large Scale Empirical Analysis on the Adherence Gap between Standards and Tools in SBOM". ACM Transactions on Software Engineering and Methodology 3788692. arXiv:2601.05622v1. doi:10.1145/3788692.

[9] "Multistakeholder Process on Promoting Software Component Transparency". Federal Register. 2018-06-07. Retrieved 2026-01-21.

[10] "Executive Order 14028 SBOM Requirements". Sbomify. Retrieved 2026-01-21.

[11] Street, Arch (2021-07-12). "Software Bill of Materials Minimum Elements Defined by NTIA". View from Arch Street. Retrieved 2026-01-21.

[12] Poireault, Kevin (2025-09-05). "US and 14 Allies Release Joint Guidance on Software Bill of Materials". Infosecurity Magazine. Retrieved 2026-01-21.

[13] "EU CRA SBOM Requirements: Overview & Compliance Tips". Anchore. Retrieved 2026-01-21.

[14] "For Good Measure Counting Broken Links: A Quant's View of Software Supply Chain Security" (PDF). USENIX ;login. Archived (PDF) from the original on 2022-12-17. Retrieved 2022-07-04.

[15] "[Part 2] Code, Cars, and Congress: A Time for Cyber Supply Chain Management". Archived from the original on 2015-06-14. Retrieved 2015-06-12.

[16] "Software Bill of Materials". ntia.gov. Archived from the original on 2022-11-30. Retrieved 2021-01-25.

[17] "Automating compliance tooling" (PDF). NTIA. 17 June 2021.

[18] Novikov, Oleksii; Fucci, Davide; Adamov, Oleksandr; Mendez, Daniel (2025-09-01), Policy-driven Software Bill of Materials on GitHub: An Empirical Study, arXiv:2509.01255

[19] Nocera, Sabato; Romano, Simone; Di Penta, Massimiliano; Francese, Rita; Scanniello, Giuseppe (2025-12-01). "On the adoption of software bill of materials in open-source software projects". Journal of Systems and Software. 230 112540. doi:10.1016/j.jss.2025.112540. ISSN 0164-1212.

[20] Ian Barker (2023-08-03). "Supply chain worries drive adoption of SBOMs". BetaNews. Retrieved 2026-01-17.

[21] "TRANSPARENCY REVIEW AND ACCOUNTABILITY IN CYBER SECURITY 2025" (PDF). WKO.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

[19]

[20]

[21]