Marc Frankel

I have a six year old, so I have plenty of experience explaining things to six year olds. Excellent. It's a great question. First and foremost, I would say you need to check the regulations. There have been a raft of regulatory requirements over the course of the last three years requiring SBOMs for different industries and different geographies.

I have a six year old, so I have plenty of experience explaining things to six year olds. Excellent. It's a great question. First and foremost, I would say you need to check the regulations. There have been a raft of regulatory requirements over the course of the last three years requiring SBOMs for different industries and different geographies.

And so to name a few, Executive Order 14028 signed by President Biden. I guess I've deviated from the six year old thing here for just a moment. But President Biden signed an executive order requiring anybody who sells software to the U.S. federal government, enabling the U.S. government to require SBOMs from those government contracts.

And so to name a few, Executive Order 14028 signed by President Biden. I guess I've deviated from the six year old thing here for just a moment. But President Biden signed an executive order requiring anybody who sells software to the U.S. federal government, enabling the U.S. government to require SBOMs from those government contracts.

Similarly, the FDA has started requiring SBOMs from medical device manufacturers. So they have said that they will refuse to approve any new software-enabled medical devices unless the pre-market submission is accompanied by an SBOM. For your listeners specifically, the Cyber Resilience Act in the EU...

Similarly, the FDA has started requiring SBOMs from medical device manufacturers. So they have said that they will refuse to approve any new software-enabled medical devices unless the pre-market submission is accompanied by an SBOM. For your listeners specifically, the Cyber Resilience Act in the EU...

which was, and I'm not a EU legislative policy expert by any stretch of the imagination, but the enforcement will begin in two years. So if you have business operations that involve the generation of software in the EU, much like GDPR, you know, touches just about everybody who interacts with the EU, you may be required to produce those SBOMs to a regulator in as little as two years time.

which was, and I'm not a EU legislative policy expert by any stretch of the imagination, but the enforcement will begin in two years. So if you have business operations that involve the generation of software in the EU, much like GDPR, you know, touches just about everybody who interacts with the EU, you may be required to produce those SBOMs to a regulator in as little as two years time.

So step number one is check the regs. Do you operate in Europe? Do you touch any of these other regulated fields? Step number two is check what your downstream customers are requiring. So it's a little bit different if you are physically putting together a box of cereal.

So step number one is check the regs. Do you operate in Europe? Do you touch any of these other regulated fields? Step number two is check what your downstream customers are requiring. So it's a little bit different if you are physically putting together a box of cereal.

But if you are in the food delivery, food manufacture industry and you have software enabled assembly lines or you have quality control capabilities or you have anything that involves software, you may be required in the not too distant future by your customers to provide these SBOMs to them. So step number one is regulation. Step number two is the customer mandate.

But if you are in the food delivery, food manufacture industry and you have software enabled assembly lines or you have quality control capabilities or you have anything that involves software, you may be required in the not too distant future by your customers to provide these SBOMs to them. So step number one is regulation. Step number two is the customer mandate.

Step number three is to check your internal DevOps and DevSecOps capabilities. So do you, with every new version of every new software application that your company develops, do you have an SBOM? Do you have an inventory of what are the third party and open source components that went into this piece of software?

Step number three is to check your internal DevOps and DevSecOps capabilities. So do you, with every new version of every new software application that your company develops, do you have an SBOM? Do you have an inventory of what are the third party and open source components that went into this piece of software?

So that when something goes bump in the night and a new vulnerability is disclosed, you can be one click away from understanding.

So that when something goes bump in the night and a new vulnerability is disclosed, you can be one click away from understanding.

You know, like I'm equally pooped out by the ball pit. But yes, every company, whether they want to be or not, is in the software generation space these days. And then I think I'm up to four. I don't recall specifically. But the last one that I would close with is you're generating software, but your vendors are providing software to you. Go back.

You know, like I'm equally pooped out by the ball pit. But yes, every company, whether they want to be or not, is in the software generation space these days. And then I think I'm up to four. I don't recall specifically. But the last one that I would close with is you're generating software, but your vendors are providing software to you. Go back.

Look at your third party risk management, vendor due diligence procedures. If it doesn't say in question, question 1A ought to be what's the name of your company, Mr. Vendor? Question 1B ought to be upload your SBOM.

Look at your third party risk management, vendor due diligence procedures. If it doesn't say in question, question 1A ought to be what's the name of your company, Mr. Vendor? Question 1B ought to be upload your SBOM.