TLDR: The Indian Computer Emergency Response Team (CERT-In) has released updated Software Bill of Materials (SBOM) guidelines, now encompassing Artificial Intelligence (AIBOM), Quantum (QBOM), Cryptography (CBOM), and Hardware (HBOM) components. These guidelines, effective July 2025, aim to enhance transparency, traceability, and cybersecurity across India’s digital supply chains, particularly for AI systems, by mandating detailed documentation of components, datasets, and methodologies.
In a significant move to bolster India’s digital security landscape, the Indian Computer Emergency Response Team (CERT-In) has unveiled updated guidelines for its Software Bill of Materials (SBOM), now expanded to include Artificial Intelligence Bill of Materials (AIBOM), Quantum Bill of Materials (QBOM), Cryptography Bill of Materials (CBOM), and Hardware Bill of Materials (HBOM). Released in July 2025, these comprehensive guidelines, version 2.0, are designed to bring unprecedented transparency and structured traceability to the nation’s increasingly complex digital supply chains.
The core concept of a Bill of Materials (BOM) is to catalog the raw materials, components, parts, and assemblies required to create a product, akin to a ‘recipe’. When applied to AI systems, AIBOM specifically mandates documenting the components that constitute an AI model and its deployment infrastructure. This includes details on datasets used, data lineage, and the methodologies applied in building the AI model. The guidelines emphasize that this is about operational security efficiency rather than new regulatory burdens, providing a structured approach to security practices that responsible AI developers should already be implementing.
The primary objectives of these enhanced guidelines are multifaceted: to track provenance, manage vulnerabilities, and ensure compliance. By providing a detailed inventory of components, organizations can identify and mitigate risks by mapping components to known vulnerabilities, for instance, through the CVE database. This is particularly crucial given that supply chains are reportedly the target of 60% of cyberattacks, according to IBM’s 2024 report.
The guidelines target a broad spectrum of stakeholders, including software developers, hardware manufacturers, developers of AI and quantum systems, government vendors, auditors, and cybersecurity analysts. CERT-In mandates that BOMs be maintained in both human-readable formats (PDF/CSV) and machine-readable formats (JSON/XML) to facilitate secure sharing and interoperability.
This strategic update aligns India with international cybersecurity standards, mirroring global initiatives such as the U.S. Executive Order 14028 on SBOMs and NIST guidelines. By focusing on detailed BOMs, CERT-In aims to strengthen supply chain security and enhance trust in Indian technology globally, supporting the ‘Digital India’ initiative.
Also Read:
- India’s AI Transformation: Driving Governance, Public Services, and Economic Growth
- Google’s ‘Big Sleep’ AI Agent Foils Critical Cybersecurity Exploit in a Landmark First
While the updated guidelines mark a pivotal step forward, their implementation presents certain challenges. Small and medium enterprises (SMEs) may face difficulties in allocating the necessary resources for comprehensive BOM adoption. Furthermore, the inherent complexity of AI and quantum systems necessitates specialized expertise, underscoring the need for workforce upskilling across the industry. Despite these hurdles, the guidelines are anticipated to stimulate growth within India’s cybersecurity market and reinforce the nation’s digital infrastructure against evolving threats.
