5 Reasons SBOMs Are Now a Core Engineering Requirement

A Software Bill of Materials (SBOM), once a niche term heard mostly in federal procurement circles, has become one of the most important topics in modern software engineering.

As part of the Critical Software ecosystem in the U.S., IQ, Inc. works across embedded systems, cybersecurity, medical devices, and connected products where the stakes of software supply chain risk are very real.

Here are five reasons why SBOMs are shifting from a "nice to have" to a baseline engineering requirement, and what that means for your team.

In 2021, Executive Order 14028 put SBOMs on the map for any software vendor working with the federal government. Since then, the FDA has made SBOMs a core expectation for premarket submissions of medical devices under its cybersecurity guidance. The EU Cyber Resilience Act is driving similar requirements across industries.

At IQ, we work with clients navigating FDA submissions and defense-adjacent software requirements, and the shift is clear: regulators are no longer asking whether you have an SBOM, they're asking to see it. Teams that treat SBOM generation as a post-development checkbox are finding themselves scrambling. The engineering teams that are ahead of the curve have embedded SBOM generation directly into their CI/CD pipelines, treating it the same way they treat automated testing.

Modern software (especially embedded and connected systems) relies on third-party libraries, open-source components, and vendor-supplied packages that can number in the hundreds. Without a structured inventory, a single disclosed vulnerability like Log4Shell can leave an engineering team  unable to quickly answer a critical question: Are we affected? 

At IQ, one of the first conversations we have with clients around cybersecurity architecture is visibility. An SBOM is foundational to that. It's not just a document — it's an operational asset that enables fast response when a CVE drops. Teams with SBOMs in place can triage in hours. Teams without them are still inventorying components days later. 

The SolarWinds breach and similar incidents have permanently changed how engineering teams think about the software supply chain. The threat isn't just external attackers, it's compromised dependencies, typosquatted packages, and upstream code that ships with vulnerabilities nobody noticed.

For IQ's embedded and robotics projects, supply chain integrity isn't abstract. We're dealing with software that runs in industrial environments, medical-grade hardware, and safety-critical systems. An undocumented dependency isn't just a compliance gap, it's a potential failure point in the field. SBOMs, combined with provenance tracking and integrity checks, give engineering teams a defensible chain of custody for everything that ships.

Beyond regulation, SBOMs are increasingly appearing in contract language and enterprise procurement questionnaires. Large customers — particularly in healthcare, defense, and industrial sectors — are asking vendors to demonstrate that they can produce SBOMs on demand and that their software development practices align with NIST and CISA frameworks.

This is a competitive reality IQ's clients are facing. Organizations that can answer the SBOM question with confidence, and back it up with tooling and process, are winning deals. Those that can't are losing them or facing expensive remediation requirements mid-contract. The business case has caught up with the technical case, and that combination tends to drive lasting change in engineering practice.

A common objection a few years ago was that generating and maintaining a high-quality SBOM was too manual and too expensive to scale. That's no longer a credible argument. Tools like Syft, CycloneDX, and SPDX-compatible generators have matured significantly. SBOM generation can be integrated into build pipelines with relatively low friction, and outputs can feed directly into vulnerability management platforms.

At IQ, we help clients integrate SBOM generation as part of a broader DevSecOps practice — not as a standalone task, but as one piece of a secure software development lifecycle. The investment is modest compared to the cost of a supply chain incident, a failed audit, or a delayed regulatory submission. For teams building embedded, connected, or safety-critical software, it's simply good engineering.

If your team is evaluating how to operationalize SBOM generation, secure software supply chains, or regulatory readiness, explore our joint solution brief with RunSafe Security on moving from SBOM compliance to continuous cybersecurity governance.

About IQ Inc. 

IQ, Inc., part of the Critical Software group, is a software and engineering firm based in Pittsburgh, PA, specializing in custom software development, software engineering, QA/testing, and technology consulting for companies operating in highly technical and regulated industries.