President Biden’s executive order (EO) on cybersecurity aims to redress weaknesses in digital security ecosystem. It is peppered with nearly 50 actions that the federal government must take within extraordinarily tight timeframes. The first software security deadline in the EO is to publish a definition of what constitutes “critical software” NIST’s deadline for producing this definition is June 26, which in turn will trigger actions by other government agencies. SBOM is effectively an ingredient list or a nested inventory, a “formal record containing the details and supply chain relationships of various components used in building software””]