Although nearly everyone in SaaS alternative Cloudsmith’s recent Artifact Management Report generates SBOMs, only a quarter do that automatically rather than manually or on demand. Over half said a comprehensive report would need significant time and effort, while fewer than a third were very confident they could pass the kind of unexpected software supply chain audit the CRA’s spot checks will require.
“A lot of organizations weren’t doing software supply chain best practices,” says Alison Sickelka, VP of product at Cloudsmith. “And that’s reflected in people having to scramble to figure out how they’re going to generate SBOMs, do reporting, and have all that in place in time.” Sometimes seen as a burden slowing down software development, SBOMs and auditability are now necessities, she adds.
For a lot of CIOs, though, the CRA isn’t even on their radar. “They may think it’s almost a tick box exercise,” says Oli Venn, engineering manager at security vendor WatchGuard, rather than a broad regulation with aggressive reporting requirements covering the entire product lifecycle from planning and design, to support and maintenance.
“If you’re any kind of vendor, or you’re manufacturing or supplying any digital system, whether it’s smart thermostats, coffee machines or anything else that can be connected to the internet or a network, that falls into regulation,” he adds. “If you’ve got developers and consumers using that in any way, then you fall into scope for the CRA.”
