Keysight Launches SBOM Manager to Help Organizations Prepare for Emerging Global Cybersecurity Regulations – Business Wire

The Digital Supply Chain Under Siege: A New Regulatory Dawn

In an increasingly interconnected world, the software that powers our economies, governments, and daily lives has become a primary target for malicious actors. High-profile cyberattacks, such as the SolarWinds breach and the Log4j vulnerability crisis, have exposed a critical and often overlooked vulnerability: the software supply chain. Modern applications are not monolithic creations but complex amalgams of proprietary code, open-source libraries, and third-party components. A single flaw in one of these “ingredients” can create a cascading failure, compromising thousands of organizations simultaneously. Recognizing this systemic risk, governments and regulatory bodies across the globe are enacting a new wave of stringent cybersecurity legislation, shifting the burden of responsibility squarely onto the shoulders of software producers.

Responding to this seismic shift in the compliance and security landscape, Keysight Technologies, a leading technology company renowned for its test, measurement, and visibility solutions, has announced the launch of its SBOM Manager. This new platform is designed to provide organizations with a comprehensive solution for managing, analyzing, and acting upon Software Bills of Materials (SBOMs)—a foundational element of the new regulatory environment. As businesses scramble to gain visibility into the intricate web of dependencies within their software, Keysight’s entry into this market signals a critical maturation point for software supply chain security. The tool aims to transform the daunting task of compliance from a reactive, manual process into a proactive, automated, and integrated part of the software development lifecycle, helping organizations not only meet emerging global mandates but also fundamentally enhance their cybersecurity posture.

The Regulatory Gauntlet: Understanding the Global Push for Transparency

The launch of Keysight’s SBOM Manager is not happening in a vacuum. It is a direct response to a powerful undercurrent of regulatory pressure that is reshaping how software is developed, sold, and maintained. For decades, the internal composition of software was a black box for most consumers and even for many of the organizations deploying it. This opacity is no longer acceptable to regulators, who now view software supply chain integrity as a matter of national and economic security.

The White House Mandate: Executive Order 14028

Perhaps the most influential catalyst for the adoption of SBOMs in the United States has been President Biden’s Executive Order (EO) 14028, “Improving the Nation’s Cybersecurity,” issued in May 2021. This sweeping directive was a direct response to major cyber incidents and laid out a clear roadmap for modernizing federal cybersecurity defenses. A cornerstone of this order is the requirement for any software vendor selling to the U.S. federal government to provide an SBOM for their products.

This mandate effectively weaponized the government’s immense purchasing power to drive industry-wide change. The National Institute of Standards and Technology (NIST) was tasked with defining the minimum elements of an SBOM, establishing a common language and framework. The implications are profound: any company wishing to engage in the lucrative federal market must now be capable of producing and delivering accurate, machine-readable SBOMs. This has forced a rapid education and tooling-up process across the software industry, as what was once a niche best practice has become a contractual obligation.

Europe’s Digital Fortress: The Cyber Resilience Act (CRA)

Across the Atlantic, the European Union is pursuing an even more ambitious and far-reaching initiative. The proposed Cyber Resilience Act (CRA) aims to establish a baseline of cybersecurity requirements for all “products with digital elements” sold within the EU market. Unlike the U.S. Executive Order, which focuses on federal procurement, the CRA applies to a vast range of consumer and industrial products—from smart refrigerators and IoT devices to operating systems and industrial control systems.

A central tenet of the CRA is the requirement for manufacturers to be transparent about the components within their products. This includes providing an SBOM to customers upon request. Furthermore, the act mandates that manufacturers actively manage vulnerabilities in their products for a specified period, requiring them to have processes in place to identify and patch flaws in the third-party components they use. Non-compliance could result in substantial fines, mirroring the punitive structure of the GDPR. The CRA, once enacted, will make SBOMs a de facto standard for doing business in the world’s largest single market.

Industry-Specific Pressures: From Healthcare to Critical Infrastructure

Beyond these broad governmental mandates, industry-specific regulations are also driving SBOM adoption. The U.S. Food and Drug Administration (FDA) has been a pioneer in this area, recognizing the critical safety implications of software in medical devices. For years, the FDA has been strengthening its pre-market and post-market cybersecurity guidance, explicitly calling for manufacturers to provide SBOMs as part of their submissions. This allows both the regulator and healthcare providers to assess the risk profile of a device and respond quickly if a vulnerability is discovered in one of its software components.

Similarly, agencies responsible for protecting critical infrastructure, such as the Cybersecurity and Infrastructure Security Agency (CISA), have championed SBOMs as an essential tool for securing the energy, finance, and communications sectors. CISA actively works to promote SBOM standards and tooling, viewing them as a critical piece of the puzzle in building national resilience against sophisticated cyber threats.

Demystifying the SBOM: The “Ingredients List” for Modern Software

With regulators demanding them and companies like Keysight building tools to manage them, it is essential to understand what an SBOM is and why it has become so crucial. At its core, the concept is remarkably simple, yet its implications for cybersecurity are transformative.

What Exactly is a Software Bill of Materials?

A Software Bill of Materials is a formal, machine-readable inventory of the software components, libraries, and modules required to build a given piece of software. The most common and effective analogy is that of an ingredients list on a food package. Just as a consumer with a peanut allergy needs to know if a product contains nuts, an organization needs to know if its critical application contains a vulnerable version of a library like Log4j or OpenSSL.

An SBOM provides a detailed, nested list of these “ingredients.” It doesn’t just list the direct dependencies—the components the developers explicitly chose to include. It also lists the transitive dependencies—the components that those dependencies rely on, and so on, down the line. This complete, hierarchical view is vital, as a vulnerability can often be hidden several layers deep in the supply chain, unknown to the application’s developer.

The Anatomy of an SBOM: Key Formats and Components

To be useful, SBOMs must be standardized. Two primary formats have emerged as industry leaders:

• SPDX (Software Package Data Exchange): An open standard maintained by the Linux Foundation, SPDX is a comprehensive format that captures information about software packages, licensing, copyrights, and security references.
• CycloneDX: An open-source standard from the OWASP Foundation, CycloneDX is a lightweight format specifically designed for security use cases and identifying supply chain risks.

Both formats are machine-readable (typically in JSON, XML, or other structured data formats), which is critical for automation. A typical SBOM will contain, for each component, key data fields such as: Component Name, Component Version, Supplier Name, License Information, and unique identifiers (like Package URL or PURL) that allow the component to be cross-referenced with vulnerability databases.

The Triple Crown of Value: Security, Compliance, and Trust

The value of maintaining a comprehensive SBOM inventory extends far beyond simply ticking a regulatory box. It delivers tangible benefits across the organization.

1. Enhanced Vulnerability Management: This is the most immediate security benefit. When a new zero-day vulnerability like “Log4Shell” is announced, an organization with a complete SBOM inventory can instantly query its entire software portfolio to determine exactly which applications are affected. This transforms a frantic, multi-week manual search into a targeted, hours-long remediation effort.
2. Streamlined License Compliance: Open-source software comes with a variety of licenses, some of which (known as “copyleft” licenses) can have significant legal implications for proprietary code. An SBOM allows legal and development teams to automatically audit all components to ensure compliance with their licensing obligations, avoiding costly legal disputes.
3. Building Transparency and Trust: In a world of heightened cyber risk, being able to provide customers with an accurate SBOM is a powerful differentiator. It demonstrates a commitment to transparency and security, building trust and providing customers with the information they need to manage their own risk.

Keysight’s Answer: A Deep Dive into the New SBOM Manager

Understanding the regulatory pressures and the fundamental value of SBOMs sets the stage for Keysight’s new offering. The SBOM Manager is not just a tool for creating a list; it is a platform designed to operationalize SBOM data, turning it from a static compliance artifact into a dynamic source of security intelligence.

A Centralized Command Center for Software Transparency

For any large organization, software is not developed or procured in a single place. Different teams use different tools, and software is acquired from hundreds of vendors. This creates a chaotic environment where SBOMs, if they exist at all, are scattered across disparate systems in various formats. The primary function of the Keysight SBOM Manager is to act as a centralized repository and a single source of truth.

The platform is designed to ingest, parse, and normalize SBOMs from virtually any source—whether they are generated internally by development teams, provided by commercial software vendors, or sourced from open-source projects. By creating this centralized hub, security and compliance teams gain unprecedented visibility into the composition of every piece of software running in their environment.

Core Capabilities: From Ingestion to Actionable Intelligence

Based on the needs of the market, the Keysight SBOM Manager is engineered with a suite of features to manage the entire SBOM lifecycle:

• Generation and Ingestion: The platform integrates with Software Composition Analysis (SCA) tools—which may be part of Keysight’s broader security portfolio—to generate SBOMs by scanning source code and binaries. It can also ingest SBOMs in standard formats like SPDX and CycloneDX from third-party vendors.
• Vulnerability Correlation: This is where the data becomes intelligence. The SBOM Manager automatically cross-references every component listed in every SBOM against a multitude of public and private vulnerability databases. This includes the National Vulnerability Database (NVD), CISA’s Known Exploited Vulnerabilities (KEV) Catalog, and other threat intelligence feeds. When a match is found, it is immediately flagged.
• Policy Enforcement and Risk Scoring: The platform allows organizations to move beyond simple vulnerability detection to proactive risk management. Administrators can define custom policies, such as “No components with critical-severity vulnerabilities are permitted in production applications,” or “Flag any software using components with non-approved licenses.” The system can then automatically score the risk of an application based on its SBOM and policy violations, allowing teams to prioritize their remediation efforts.
• Lifecycle Tracking and Drift Detection: Software is not static. A new version of an application may introduce new libraries or update existing ones. The SBOM Manager is designed to track these changes over time, comparing different versions of an SBOM to detect “drift.” This ensures that the security posture of an application is continuously monitored, not just checked at a single point in time.
• Comprehensive Reporting and Auditing: To meet compliance demands, the platform features robust reporting capabilities. It can generate compliance reports tailored to specific regulations (like EO 14028 or the CRA), provide detailed vulnerability summaries for security teams, and create audit trails to demonstrate due diligence to regulators and customers.

Integrating Security into the DevOps Lifecycle

Critically, Keysight is positioning the SBOM Manager not as a standalone, post-facto security tool, but as an integrated component of the modern DevSecOps workflow. By using APIs to connect with CI/CD (Continuous Integration/Continuous Deployment) pipelines, the platform can provide real-time feedback to developers. For instance, a build could be automatically failed if the code being checked in introduces a component with a known critical vulnerability. This “shift-left” approach embeds security directly into the development process, making it more efficient and effective than traditional, end-of-cycle security gates.

Strategic Analysis: Navigating the Complexities of SBOM Adoption

Keysight’s launch is a significant event, but it also highlights the broader challenges and strategic considerations within the rapidly evolving software supply chain security market.

The Burgeoning SBOM Ecosystem

The demand for SBOM solutions has created a vibrant and competitive market. Keysight enters a space populated by several types of players:

• Dedicated SBOM Startups: A new class of companies has emerged focused solely on providing tools for SBOM generation, management, and analysis.
• Established SCA Vendors: Companies that have long specialized in Software Composition Analysis (like Snyk and Sonatype) are natural leaders in this space, as SBOM generation is a core function of their products. They are now expanding their platforms to include more robust management and compliance features.

– **Application Security Posture Management (ASPM) Platforms:** Broader security platforms are integrating SBOM capabilities as one part of a more holistic view of application risk.

This competitive landscape indicates the market’s vitality and the recognized importance of the problem. Success will depend on factors like ease of integration, the quality of vulnerability intelligence, and the ability to scale to meet the needs of large enterprises.

Keysight’s Strategic Pivot: From Network Testing to Code Composition

For Keysight, this move represents a logical and strategic extension of its core competencies. Historically known for its hardware and software for testing physical and network layers, the company has been steadily expanding its security portfolio, notably through its acquisition of Ixia. Ixia provided Keysight with deep expertise in network visibility and security testing.

The SBOM Manager moves Keysight further “up the stack,” from testing the *behavior* of applications and networks to inspecting the very *composition* of the software itself. This creates a powerful synergy. A customer can now use Keysight solutions to validate the security of their network infrastructure, test the resilience of their applications against attack traffic, and now, verify the integrity of the underlying code. This positions Keysight as a more holistic security and quality assurance partner for its customers.

Overcoming the Hurdles: The Practical Challenges of Implementation

Despite the clear benefits and regulatory imperatives, widespread SBOM adoption is not without its challenges, which tools like Keysight’s aim to solve.

• Scale: A large enterprise may have thousands of applications, each composed of hundreds or thousands of components. Managing SBOMs at this scale is a monumental data management problem that is impossible without sophisticated, automated tooling.
• Accuracy and Completeness: The old adage “garbage in, garbage out” applies perfectly to SBOMs. An inaccurate or incomplete SBOM can provide a false sense of security. Ensuring the quality of SBOMs, especially those received from third-party vendors, is a significant challenge.
• Toolchain Integration: To be effective, SBOM management cannot be a siloed activity. It must be deeply integrated into the existing developer toolchain, security information and event management (SIEM) systems, and governance, risk, and compliance (GRC) platforms.

Conclusion: The Future is Transparent

The launch of the Keysight SBOM Manager is more than just a new product announcement; it is a clear indicator of a fundamental and permanent shift in the cybersecurity landscape. The era of the software “black box” is over. Driven by relentless threats and reinforced by global regulation, software transparency is becoming the new standard of care. An SBOM is no longer a “nice-to-have” for mature security programs but is rapidly becoming a “must-have” for legal and operational viability.

Organizations that embrace this new reality will not only ensure compliance but will also build more resilient, secure, and trustworthy products. The journey requires a combination of process, policy, and technology. As the complexity of the software supply chain continues to grow, sophisticated management platforms will become indispensable, serving as the command center for navigating this new terrain. By providing a tool to manage this complexity, Keysight and others in this space are not merely selling software; they are providing the essential infrastructure for a more secure and transparent digital future.