Keysight unveils SBOM Manager to meet new cyber rules

Keysight has launched SBOM Manager, a software supply chain product designed to automate the creation and management of software bills of materials (SBOMs) as regulators tighten cybersecurity requirements for connected products.

SBOMs list the software components inside a product and are gaining prominence in government procurement and regulated sectors. New rules and guidance in the US and Europe are increasing pressure on manufacturers and software suppliers to document third-party components, track vulnerabilities, and share information with customers and partners.

Keysight is positioning the product around compliance with the EU Cyber Resilience Act, expected to apply from 2026. The regulation introduces obligations for manufacturers of connected products on cybersecurity risk management and vulnerability handling, and emphasises product transparency, including SBOM practices and disclosure expectations.

In the US, Executive Order 14028 has pushed federal agencies and suppliers towards greater software transparency. The Food and Drug Administration has also set out cybersecurity expectations for medical devices. Similar policy activity is under way in parts of Asia, with SBOM requirements emerging across regulated industries.

What It Does

SBOM Manager analyses compiled software and packaged components, including binaries, firmware, and containers. This matters for organisations that ship embedded software or products that include closed-source components from suppliers.

It also correlates SBOM results with vulnerability information. The service draws on multiple vulnerability data sources and runs continuous checks, according to Keysight. Security teams often face large spikes in alerts when vulnerability databases update or when widely used dependencies are reclassified.

Keysight says SBOM Manager filters out vulnerabilities that are not applicable to a given product or deployment. It supports the Vulnerability Exploitability eXchange (VEX) format, which vendors use to indicate whether a reported vulnerability affects their product and under what conditions.

Sharing Controls

Regulatory and customer expectations increasingly extend beyond producing an SBOM. Organisations also need to distribute SBOMs and vulnerability information across the supply chain. Keysight says SBOM Manager includes role-based controls and version tracking for SBOM sharing.

The product also provides SBOM validation and normalisation. Standards and minimum requirements vary by regime and industry, and companies often face incompatible formats and inconsistent component naming. Data quality issues can undermine an SBOM's value, particularly when matching vulnerabilities to deployed assets.

Keysight says SBOM Manager can ingest supplier SBOMs and map them to deployed digital assets. The feature targets organisations that buy software and connected devices as much as those that build them. Large industrial operators and healthcare providers have been building asset inventories that link software composition data with device and application records.

Market Signals

Hitachi Industry & Control Solutions and CyBeats have validated the approach, according to Keysight. Their comments highlight the operational challenge of turning transparency requirements into routine processes across product lines and supplier networks.

Naoki Shimazaki, Director in the Fourth Design Department at Hitachi Industry & Control Solutions' Software-Defined Solutions Division, Connective Engineering Division, said: "The use of SBOMs is becoming an essential element in monitoring system security risks, including software composition management and supply chain risk management. We believe that solutions such as these, which enable visibility into system components and support vulnerability impact analysis, have significant potential to strengthen organizations' cybersecurity efforts."

Regulatory requirements can also tighten incident response expectations, increasing the need for reliable component records. Keysight notes that the EU Cyber Resilience Act includes reporting requirements for actively exploited vulnerabilities within 24 hours. That timeframe makes it harder for manufacturers to rely on manual inventories and ad hoc supplier outreach during an incident.

Dmitry Raidman, co-founder and chief technology officer at CyBeats, said: "While companies innovate at the speed of AI, they must also put tighter governance and stronger controls in place, especially as modern products increasingly rely on open source, third-party components, and AI-assisted development. Supply chain transparency and accountability are now paramount. To meet growing global regulations, organizations need the ability to continuously generate trustworthy SBOMs, correlate them with actionable vulnerability intelligence, apply VEX to reduce noise, and automate response workflows at scale. As transparency expectations expand across software, AI, cryptography, and hardware, visibility into the full digital product stack is becoming essential for secure-by-design development, regulatory readiness, and customer trust."

Competitive Context

SBOM tooling is a fast-moving segment of the security market. Buyers range from software producers meeting customer due diligence requirements, to device manufacturers facing new compliance regimes, to critical infrastructure operators managing supplier risk. Many organisations already use software composition analysis tools in development teams, but SBOM obligations extend into manufacturing, procurement, compliance, and post-sale vulnerability response.

Ram Periakaruppan, vice president and general manager of Network Test & Security Solutions at Keysight, said: "As cybersecurity regulations mature, SBOMs are becoming a prerequisite for doing business globally. Keysight SBOM Manager helps organizations meet these requirements with confidence by bringing accuracy, consistency, and scalability to SBOM generation and management."