In a landmark move to bolster India’s cybersecurity ecosystem, the Indian Computer Emergency Response Team (CERT-In) has rolled out an updated version of its technical guidelines on Software Bill of Materials (SBOM), now expanded to include Quantum & Cryptography (QBOM & CBOM), Artificial Intelligence (AIBOM), and Hardware (HBOM) components. This enhanced framework is designed to bring deeper transparency and structured traceability to the ever-evolving and increasingly complex digital supply chains.
The guidelines were officially updated in July 2025 and are part of India’s broader mission to secure digital infrastructure amidst rising global cyber threats. These updated BOM specifications serve as a cornerstone for mitigating vulnerabilities across both public and private sector ecosystems.
The Purpose: Trace, Manage, Secure
A BOM—whether software or hardware—functions like a digital inventory of components used in the creation of a product. With the integration of Quantum algorithms, AI models, cryptographic elements, and chip-level hardware, the revised guidelines now encompass the full spectrum of modern digital technologies.
According to CERT-In, these enhanced BOM formats will assist organizations in:
-
Tracking component provenance,
-
Managing known vulnerabilities (CVE mapping), and
-
Strengthening compliance and audit preparedness.
By institutionalizing such documentation across the software development lifecycle, CERT-In hopes to minimize unknown risks and improve reaction time during cyber incidents.
Backed by Leadership: Dr. Sanjay Bahl’s Vision
The revision of these guidelines has been spearheaded under the leadership of Dr. Sanjay Bahl, Director General of CERT-In, whose efforts have consistently focused on improving India’s cyber posture and resilience. Dr. Bahl has emphasized the growing importance of supply chain security, especially as technologies like AI and Quantum Computing introduce not only innovations but also new threat vectors.
Click Here to Download the Guidelines
Under his stewardship, CERT-In continues to move from reactive incident response to proactive cyber assurance—aligning with global best practices.
Intended for Developers, Suppliers, and Auditors
The target audience of these guidelines includes software developers, hardware manufacturers, government vendors, auditors, and cybersecurity analysts. With the updated version (2.0), CERT-In encourages:
-
Software firms to adopt SBOMs in software release cycles.
-
Chip and IoT device manufacturers to incorporate HBOMs and CBOMs in product documentation.
-
AI developers to maintain AIBOMs for model origin, datasets, and weights.
-
Quantum researchers to document algorithmic dependencies in QBOMs.
These documents should be maintained in both human-readable (PDF/CSV) and machine-readable (JSON/XML) formats and may be shared securely with downstream consumers or regulators.
Global Alignment and Future Readiness
India’s effort mirrors global movements like the U.S. Executive Order 14028 on SBOMs, NIST guidelines, and EU’s Cyber Resilience Act, highlighting India’s growing alignment with international cybersecurity frameworks.
The CERT-In update also offers guidance on maintaining BOMs during the lifecycle of software and devices, suggesting update mechanisms, patch transparency, and incident triaging methodologies.
As digital threats evolve, India’s approach—rooted in standardization, documentation, and real-time risk awareness—marks a significant shift from ad hoc responses to systematic resilience-building.