What's Happening?
Software Bills of Materials (SBOMs) and Vulnerability Exploitability Exchange (VEX) statements were introduced to enhance software supply chain security by providing detailed lists of software components and their vulnerabilities. However, these measures
have not succeeded in reducing supply chain attacks, which have become more frequent. In March 2026, two significant attacks, Trivy and Axios, affected tens of thousands of organizations. The issue is not the lack of data but the inconsistent interpretation and decision-making based on this data. Security teams struggle with outdated documentation and lack a governance layer to interpret changes in SBOMs over time. This has led to inconsistent security and compliance decisions, exacerbated by the rapid pace of AI-enabled attacks.
Why It's Important?
The failure of SBOMs and VEX to mitigate supply chain attacks poses significant risks to U.S. industries reliant on software security. As attacks increase, the need for consistent, auditable decision-making becomes critical. The reliance on outdated documentation and the lack of a unified decision intelligence approach leave organizations vulnerable. This situation is compounded by increasing regulatory pressures for SBOM mandates and supply chain transparency. The inability to effectively interpret and act on SBOM data could lead to severe security breaches, impacting businesses, government agencies, and the broader economy. The challenge is to develop a governance-driven intelligence layer that can provide explainable and defensible security decisions.
What's Next?
Organizations must prioritize the development of a unified decision intelligence approach to interpret SBOMs and VEX statements effectively. This involves integrating third-party disclosures into risk assessments and ensuring that security decisions are explainable and defensible. As regulatory pressures increase, companies will need to adapt to stricter requirements for secure development and supply chain transparency. The focus should be on creating a governance layer that can manage lifecycle signals and contextual inputs, rather than relying solely on automation. This shift is essential to stay ahead of rapidly evolving threats and to maintain national resilience against cyberattacks.
