Dr. Allan Friedman, usually described because the Father of SBOMs whereas working for CISA, is becoming a member of NetRise as a strategic advisor.
Though CISA is severely affected by the present authorities shutdown (roughly two-thirds of its workforce have been furloughed in October 2025), this performed no half in Friedman’s determination to maneuver on from the company in August 2025.
In his personal phrases, “I’m nonetheless excited by constructing issues, and I felt that lots of these issues lay exterior CISA’s remit.”
SBOMs are machine-readable inventories of the parts and dependencies used to construct a bit of software program, offering larger visibility into software program provide chains. The software program developer produces the SBOM, whereas the software program shopper decides find out how to use it. NetRise, a provide chain safety agency, has an curiosity in SBOMs to assist its shoppers higher safe themselves towards software program provide chain threats lurking in third celebration software program parts.
To be of worth, SBOMs have to be precisely constructed and intelligently consumed. The ‘undertaking’ gained a lift from Biden’s EO 14028 issued in Might 2021, requiring that any software program offered into the US authorities should include an SBOM. However aside from this fillip, there is no such thing as a authorized requirement to supply an SBOM, nor any computerized assumption of availability.
The alliance of the Father of the SBOM with an organization that focuses on provide chain safety is a pure match that might result in larger availability and extra clever use.
There’s a potential hazard that the rise and growing potential of AI may lead corporations to downgrade the significance of SBOMs. AI is already getting used for risk searching, and that use will proceed and broaden. Why would I would like an SBOM when AI will inform me what threats I’ve and the place they’re?
“I’d love that to be true,” commented Thomas Tempo (co-founder and CEO of NetRise), “however proper now it can’t do this. It could actually assist with provide chain visibility, however it can’t remedy the entire downside.”
Friedman added, “The SBOM stays obligatory. As we witness this AI takeover, the SBOM goes to be one of many final issues it replaces. AI can do many issues, however it’s depending on the info it consumes – and the SBOM gives that knowledge.”Commercial. Scroll to proceed studying.
Tempo expanded on this: “Let me provide you with an instance. You may need a log4j in a standalone Home windows utility, after which you may additionally have that log4j in a Cisco change. To extract the artifacts, you’ll want to assess and decide whether or not the log4j is in both a kind of property, and that requires two totally different processes. Simply discovering log4j in a Home windows utility doesn’t provide the capability to search out it within the Cisco change. That is the entire level. Now, when you’ve completed all of the extraction and also you’ve recognized all of the parts [via SBOMs], that’s the place AI is available in.”
He continued, “To Friedman’s level, you can provide the LLM context about the place that element is discovered and what it’s in and the way it’s alleged to run or function that you simply can’t get in any other case. With that info, you possibly can ask the LLM to clarify the precise threat of this log4j element. And it’ll reply, ‘based mostly on this configuration, there may be really a really low chance of it being an issue for you’ (or vice versa).”
So, in the meanwhile, SBOMs are essential to feed AI, whereas AI may help the software program shopper perceive what needs to be completed. As Kirsten Davies (former CISO at Unilever, SVP and CISO at Estée Lauder, MD and group CSO at Barclays – and nominee for CIO on the DOD) informed the Senate Armed Providers Committee affirmation listening to on September 18, 2025, “If confirmed, I’ll make sure the Division not solely collects SBOMs in contracts but in addition develops the individuals, processes, and instruments wanted to investigate them and act on the outcomes. SBOMs needs to be built-in with different assurance practices, comparable to safe growth, automated code scanning, and steady monitoring so the Division can cut back threat and enhance reliability in software-intensive programs.”
By bringing the deep founding data of SBOMs and their capabilities to a agency that specializes (with the assistance of AI) in securing software program provide chains, Friedman and NetRise are successfully combining SBOMs and AI within the method envisaged by the administration’s nominee for DOD CIO.
“Now we have made progress on understanding the necessity for SBOMs and associated knowledge, however we additionally want high quality instruments. NetRise is main the best way to ship on the great and correct identification of parts, uncovering hidden threat, and actioning remediation of that threat,” stated Friedman.
NetRise raised $10 million in a Sequence A funding spherical in April 2025, bringing the full quantity raised by the corporate to almost $25 million.
Associated: The SBOM Bombshell
Associated: US, Allies Push for SBOMs to Bolster Cybersecurity
Associated: CISA Requests Public Suggestions on Up to date SBOM Steering
Associated: New UK Framework Pressures Distributors on SBOMs, Patching and Default MFA
