FYI: Anti-SBOM campaign from ITI

Dick Brooks

Just an FYI


I hope the #SBOM community is aware of the "Anti-SBOM" campaign currently underway from the Information Technology Industry Council (ITI). This excerpt from a recent ITI letter shows a clear lack of empathy for software consumers that need an SBOM to monitor for vulnerabilities in installed software.


Discourage agencies from requiring artifacts until SBOMs are scalable and consumable. We recognize and appreciate the value of flexibility built into the OMB process. Given the current level of (im-)maturity, we believe that SBOMs are not suitable contract requirements yet. The SBOM conversation needs more time to move towards a place where standardized SBOMs are scalable for all software categories and can be consumed by agencies. At this time, it is premature and of limited utility for software producers to provide an SBOM. We ask that OMB discourage agencies from requiring artifacts until there is a greater understanding of how they ought to be provided and until agencies are ready to consume the artifacts that they request.


Here’s an article I posted on Energy Central regarding the November 22, 2022 ITI letter to OMB:




Dick Brooks


Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership


Never trust software, always verify and report!

Email: dick@...

Tel: +1 978-696-1788