Security May 5, 2026 13 min read

SBOM & Software Supply Chain Security Certifications 2026

Reviewed by certified IT professionals • About our team

SBOMs, SLSA, sigstore, and supply chain attacks reshaped security in 2026. Certifications, skills, and what to study after the EO 14028 deadline wave.

SBOM & Supply Chain Security 2026

Table of Contents

After XZ Utils, Polyfill.io, and the rolling JS supply chain attacks of 2024-2025, every Fortune 500 SOC has an SBOM mandate. The US federal EO 14028 deadlines hit, and the EU Cyber Resilience Act enforcement window opened in late 2025. Software supply chain security is no longer a niche — it's now table stakes on AppSec interviews and a major topic on CISSP, CSSLP, and CCSP.

EO 14028
SBOM Required
CRA
EU Enforcement
3
SLSA Levels
100%
CISSP D8 Coverage

What "Supply Chain Security" Actually Covers

Four overlapping disciplines, often confused:

  1. SBOM (Software Bill of Materials) — list of components and dependencies in a build. CycloneDX or SPDX format.
  2. Provenance — verifiable claim about how a build was produced. SLSA framework, in-toto attestations.
  3. Signing — cryptographic signatures over artifacts. Sigstore (cosign, fulcio, rekor) or traditional GPG.
  4. Vulnerability response — VEX (Vulnerability Exploitability eXchange), advisory ingestion, autonomous remediation.

The Frameworks You Need to Know

SLSA v1.1 Provenance

Build levels (Build L1, L2, L3) defining how strongly a build attests to its artifacts. CI/CD systems (GitHub Actions, GitLab, Buildkite, Tekton Chains) have native SLSA support.

CycloneDX 1.6 SBOM Format

OWASP-maintained. Strong support for ML-BOM (machine learning), CBOM (cryptographic), VEX, and operations metadata. Most flexible format in 2026.

SPDX 3.0 SBOM Format

Linux Foundation-maintained. Strong legal/license focus. Federal contractors often prefer SPDX because of NTIA references.

Sigstore Signing

Cosign (signing), Fulcio (CA), Rekor (transparency log). Keyless signing using OIDC tokens. Standard in Kubernetes, Python (PEP 740), and increasingly npm/cargo.

Certifications Covering Supply Chain Security

  • CISSP — Domain 8 expanded supply chain content significantly in the 2024 refresh.
  • CSSLP (Certified Secure Software Lifecycle Professional) — entire domain on supply chain risk.
  • CCSP — supply chain in cloud context, including container provenance.
  • OSCP / GIAC GWAPT — practical attack-side coverage for AppSec engineers.
  • CompTIA SecurityX (CASP+ successor) — added SBOM/SLSA objectives in 2026.
  • CNCF CKS — supply chain section covering image signing, admission controllers, runtime verification.

Tools That Show Up in Real Programs

  • SBOM generation: Syft, CycloneDX CLI, sbomqs, anchore.
  • SBOM consumption: Grype, Trivy, Dependency-Track, GitHub dependency review.
  • Signing: cosign, in-toto, GitHub Artifact Attestations.
  • Verification at deploy: Kyverno, Sigstore Policy Controller, Connaisseur.
  • VEX: OpenVEX, vexctl, OSV.
  • Repository defense: Socket.dev, Snyk, Endor Labs, Apiiro.

Hard-won lesson: generating SBOMs is easy. Consuming them — actually acting on a vulnerability detected in a deployed artifact — is the hard part. Most programs stall at "we have SBOMs" without closing the loop.

12-Week Skill Path

Weeks 1-2: Fundamentals

Read EO 14028 NTIA Minimum Elements for SBOM. Compare CycloneDX and SPDX with example documents. Generate an SBOM for an open-source project with Syft.

Weeks 3-4: SLSA & Provenance

Implement SLSA L2 in a GitHub Actions workflow. Verify provenance with slsa-verifier. Add cosign keyless signing.

Weeks 5-7: Detection & Response

Stand up Dependency-Track. Ingest SBOMs from CI. Configure VEX for false-positive suppression. Practice incident response on a simulated CVE.

Weeks 8-10: Runtime Verification

Kubernetes admission controller (Kyverno or Sigstore Policy Controller) blocking unsigned images. Vex annotations on Kubernetes deployments.

Weeks 11-12: Cert Prep

Fold these skills into CISSP D8 or CSSLP study. Practice exam questions on supply chain attack scenarios.

Frequently Asked Questions

Is SBOM legally required everywhere?

Federal US: yes for most software sold to government. EU: yes under CRA (effective 2027 phased). Private sector: contractual but increasingly mandatory in vendor questionnaires.

Cosign keyless or key-based?

Keyless (OIDC) for ephemeral builds. Key-based for high-trust release artifacts where you want long-lived verifiability without depending on Fulcio. Most teams use both.

Does CISSP go deep on SLSA?

Conceptually, yes. The exam doesn't ask you to write provenance YAML, but it does test whether you understand build-level integrity, in-toto, and how SLSA reduces specific attack classes.

Is supply chain security a separate role?

Increasingly yes. "Software Supply Chain Security Engineer" emerged as a distinct title in 2025. Sits between AppSec, DevSecOps, and Platform. $160k-$220k US average.

Practice with ExamCert

1000+ certification practice questions covering AWS, Azure, GCP, AI, security, and more — with detailed explanations.

Browse All Exams
ExamCert

ExamCert Team

Certified IT professionals tracking the cloud, AI, and security certification landscape. Content updated as exams and tools evolve.

Master the 2026 IT Stack

Practice exam questions with detailed explanations across AWS, Azure, GCP, security, and AI certifications.

Browse Practice Apps More Articles