Understanding the 2025 Auto-ISAC Software Bill of Materials (SBOM) Informational Report

The automotive industry is undergoing a rapid transformation with increasing reliance on software-driven technologies. Ensuring cybersecurity and supply chain integrity has become a top priority for manufacturers and suppliers. The Auto-ISAC Software Bill of Materials (SBOM) Informational Report (Version 3.0) provides a comprehensive look at SBOM implementation, its role in cybersecurity, and best practices for its effective use. This blog summarizes the key insights and findings from the report.

A Software Bill of Materials (SBOM) is a hierarchical list of software components that make up a product. It helps organizations understand which components are present in a software application, allowing for better vulnerability management and risk assessment. SBOMs are particularly crucial in industries with complex supply chains, such as automotive manufacturing.

Unlike other sectors, the automotive industry presents unique cybersecurity challenges due to its:

• Complex Supply Chain: Vehicles consist of thousands of parts sourced from various suppliers, making it essential to track software dependencies.
• Cybersecurity and Safety Concerns: Any security breach can have life-threatening consequences, making it vital to ensure software integrity.
• Long Product Lifecycle: Vehicles are expected to last 15+ years, requiring continuous security updates.
• Regulatory Compliance: Adherence to regulations like ISO/SAE 21434 and UNECE WP.29 is crucial.
• Data Privacy Concerns: Connected vehicles generate vast amounts of sensitive data, necessitating strict privacy controls.

The report highlights how SBOMs are gaining traction across governments, regulatory bodies, and industry groups:

• United States: Agencies like the Cybersecurity and Infrastructure Security Agency (CISA) and the National Highway Traffic Safety Administration (NHTSA) have emphasized SBOM use.
• European Union: The Cyber Resilience Act (CRA) mandates SBOM compliance for software supply chain security.
• Japan: The Ministry of Economy, Trade, and Industry (METI) has issued guidance similar to U.S. recommendations.
• Industry Collaborations: Organizations like the Society of Automotive Engineers (SAE) and Open Source Security Foundation (OSSF) are developing SBOM standards.

To effectively integrate SBOMs into automotive cybersecurity strategies, the Auto-ISAC report outlines several best practices:

1. Pre-Sale Considerations: SBOMs should be included in supplier agreements, non-disclosure agreements (NDAs), and service-level agreements (SLAs).
2. Development Integration: SBOMs should be generated during the software development process and continuously updated.
3. Secure Exchange of SBOMs: Stakeholders must ensure SBOMs are shared securely while maintaining confidentiality.
4. Vulnerability Management: SBOMs play a crucial role in tracking vulnerabilities and responding to threats.
5. Automation and Tooling: Organizations should leverage automated SBOM generation, validation, and vulnerability scanning tools.

The adoption of SBOMs is still in its early stages in the automotive industry, but the benefits are clear. As regulatory requirements evolve and cyber threats become more sophisticated, SBOMs will become a critical component of cybersecurity and risk management strategies. By implementing SBOM best practices, automotive companies can enhance security, improve regulatory compliance, and mitigate supply chain risks.

The Auto-ISAC SBOM Informational Report serves as a valuable guide for automotive manufacturers, suppliers, and cybersecurity professionals looking to enhance software transparency and security. As the industry moves towards increased adoption of SBOMs, collaboration and standardization will be key to ensuring a secure and resilient software supply chain.

For organizations looking to implement SBOMs, now is the time to start integrating them into cybersecurity frameworks and supply chain management processes.