IN Brief:
- The Cyber Resilience Act’s reporting duties start in September 2026, with broader obligations following in December 2027.
- Keysight SBOM Manager combines binary-only analysis, SBOM generation, vulnerability tracking, VEX handling, and consumer-side ingestion in one workflow.
- The shift pushes SBOMs beyond compliance paperwork and into day-to-day product security, engineering, and post-deployment asset management.
Keysight Technologies has launched SBOM Manager as software transparency rules begin to bite across connected products, industrial systems, and regulated devices. The new platform is aimed at manufacturers that need to generate, maintain, validate, and share software bills of materials without turning the exercise into another manual compliance burden. That timing matters, because Europe’s Cyber Resilience Act moves into its reporting phase this September before broader compliance requirements arrive in late 2027.
Rather than treating the SBOM as a one-off export, Keysight is packaging it as a lifecycle workflow. The toolset spans binary-only analysis for software and firmware, CycloneDX and SPDX output, vulnerability lifecycle management, VEX and VDP handling, and a consumer module for automated SBOM ingestion and validation against deployed assets. That is a more useful proposition than simple component inventory, because the hard part for many manufacturers is no longer producing an SBOM once, but keeping it accurate as products, dependencies, and field exposures change.
The regulatory backdrop is tightening quickly. Under the CRA, manufacturers of products with digital elements are expected to identify and document components and vulnerabilities, put coordinated disclosure processes in place, and issue security updates without undue delay. In the US, software supply chain security has been pushed higher up the agenda by Executive Order 14028, while FDA cybersecurity guidance continues to pull SBOM documentation into medical device premarket work. For electronics companies shipping embedded software into instruments, controllers, gateways, and medical platforms, that moves SBOM management out of policy teams and into engineering and product security operations.
Keysight is leaning into that shift with a platform designed to reduce false workload as much as generate paperwork. Its launch material highlights continuous correlation with vulnerability intelligence, filtering for non-applicable issues, and support for VEX so teams can distinguish theoretical exposure from exploitable risk. “As cybersecurity regulations mature, SBOMs are becoming a prerequisite for doing business globally,” said Ram Periakaruppan, Vice President and General Manager, Network Test & Security Solutions at Keysight.
The commercial question is whether manufacturers adopt this as part of release engineering rather than as a compliance afterthought. That looks increasingly likely. Once firmware images, open-source packages, third-party components, and fielded asset inventories are tied into the same process, the SBOM stops behaving like a document produced for auditors and starts acting more like a living service record for the product itself.
