Strengthening the CMMC Boundary: Why Software Bill of Materials (SBOMs) Are Essential for Secure Supply Chains in Defense Contracting

In today's interconnected defense industrial base, defining and protecting your CMMC Boundary is more critical than ever. The CMMC Boundary is the clearly scoped set of systems,

assets, people, facilities, and processes that handle, process, store, or transmit Controlled Unclassified Information (CUI) or Federal Contract Information (FCI). It serves as the foundation for achieving Cybersecurity Maturity Model Certification (CMMC) compliance. As Dr. Georgianna Shea, a seasoned cyber practitioner at the Foundation for Defense of Democracies (FDD), explains in a recent podcast interview, modern software is rarely built from scratch: "when you start to look at the composition of software, you'll find that 90% of all software is open source." This reality amplifies supply chain risks and makes transparency tools like Software Bill of Materials (SBOMs) indispensable for safeguarding that boundary.

Dr. Shea highlights the hidden dependencies lurking in software: "if I look at the software and then I decompose it, I look at the software bill of material, and now I can see all of the component pieces of software that are helping it, there might be a couple to hundreds in that first tier dependency. And then when you dig into those, there may be thousands." In one pilot she conducted on Department of Defense-developed software, what appeared to be a simple system with three major open-source dependencies actually unraveled into "2,000 that supported this one, another couple thousand that supported the other." Without visibility into these layers, adversaries can exploit dormant vulnerabilities or insert malicious code. Those threats directly undermine the integrity of systems within your CMMC Boundary.

This ties directly to current federal requirements under CMMC 2.0, which aligns Level 2 (and higher) with the 110 security requirements of NIST SP 800-171 Revision 3. Revision 3 introduced a dedicated Supply Chain Risk Management (SR) family. It emphasizes controls like SR-1 (Policy and Procedures), SR-2 (Supply Chain Risk Management Plan), and SR-5 (Provenance). These require organizations to identify, assess, and mitigate risks from third-party components and suppliers. SBOMs provide the machine-readable inventory needed to fulfill these controls effectively. They track provenance, versions, suppliers, and known vulnerabilities (CVEs). This ensures you can map dependencies back to your CMMC Boundary and demonstrate that risks are managed.

Further reinforcing this, Executive Order 14028 ("Improving the Nation's Cybersecurity") mandates greater software supply chain transparency for federal procurements. It includes SBOMs as a "list of ingredients" for software. DoD policies build on this: contractors handling CUI must comply with DFARS 252.204-7012, which requires safeguarding systems per NIST SP 800-171. Recent DoD initiatives, such as the Software Fast Track (SWFT) and guidance emphasizing SBOMs for Authority to Operate (ATO) processes, make SBOM generation a practical necessity for procurement and compliance. As Dr. Shea notes, "it's important to have that bill of materials to understand where all this is coming from," especially when open-source components could originate from adversarial sources.

For defense contractors, integrating SBOM practices strengthens the CMMC Boundary in tangible ways:

• Provenance and Risk Visibility: SBOMs reveal who authored components and potential risks (e.g., "Chinese hackers writing it," as Dr. Shea warns). This allows proactive mitigation before certification assessments.

• Vulnerability Management: By correlating SBOM data with CVE databases, organizations can remediate issues swiftly. This aligns with NIST's risk assessment and system integrity requirements.

• Assessment Efficiency: A well-maintained SBOM supports evidence for third-party CMMC assessments. It reduces surprises during scoping of the CMMC Boundary and proves supply chain controls are implemented.

Dr. Shea advocates going beyond software to "cyber informed engineering." She emphasizes designing systems to minimize attack surfaces from the start. This proactive approach not only bolsters national security but also helps contractors avoid the dire consequences she cites: "60% of SMBs go out of business within six months of a breach."

In an era of cascading supply chain attacks like SolarWinds and Kaseya (examples Dr. Shea references), SBOMs are not optional extras. They are foundational to maintaining a defensible CMMC Boundary. By adopting SBOM generation early (leveraging resources from CISA, NTIA, and NIST), contractors can operationalize secure software practices, meet evolving DoD expectations, and position themselves competitively in the defense marketplace.

For additional insights from Dr. Shea, check out her work at FDD.org. If you're navigating CMMC compliance, start with a clear CMMC Boundary and build transparency into your supply chain. Your certification and national security depend on it.