Federal SBOM requirements get most of the attention. Executive Order 14028 in May 2021, OMB Memorandum M-22-18 in September 2022, and the CISA Secure by Design initiative launched in April 2023 set the national direction. What has been quieter but arguably more immediate for vendors is the parallel movement at the state and local level. Over 2023 and 2024, state CIOs, state procurement offices, and large municipal IT organizations have been incorporating SBOM and software supply chain requirements into procurement language, sometimes explicitly and sometimes implicitly. Any software vendor that sells into state and local government needs to track this, because the requirements are already showing up in RFPs and will be in binding contracts within a year or two.
The national baseline
The federal SBOM framework rests on a few foundational documents. NTIA's "Minimum Elements for a Software Bill of Materials" published 12 July 2021 defines what a useful SBOM contains. CISA's subsequent SBOM-at-a-glance explainers, and the more recent "Framing Software Component Transparency" work from its 2024 Open Source Security Summit, have set community norms. NIST's Secure Software Development Framework (SSDF) SP 800-218, updated in February 2022, operationalizes the practices a software producer is expected to follow and is now referenced directly in federal procurement self-attestations through the CISA Secure Software Development Attestation Form launched 11 March 2024.
States have largely taken this as the starting point. Where they have diverged, it is usually in the direction of added specificity — narrower timelines, broader scope, or tighter attestation language.
What states have actually done
New York was among the earliest movers. The New York State Office of Information Technology Services began including software supply chain language in its procurement documents in 2023, leaning on the NYS Information Security Policy NYS-P03-002 and the more specific requirements in NYS-S13-001 and NYS-S14-003. New York City's Department of Information Technology and Telecommunications followed with its own guidance, and NYC DoITT's contractual addenda for vendors now routinely request SBOMs for software that handles city data.
California's Department of Technology published updates to the State Administrative Manual through 2023 and 2024 that incorporate software supply chain diligence into procurement risk assessments. The California Cybersecurity Integration Center (Cal-CSIC) has been a quiet force in pushing state agencies toward SBOM-aware contract language. The state's involvement in the Multi-State Information Sharing and Analysis Center (MS-ISAC) and its work with CISA have produced alignment with federal direction.
Texas has moved through a different channel. The Texas Department of Information Resources maintains Texas Cybersecurity Framework requirements that apply to state agencies, and the TX-RAMP program for cloud products now includes supply chain controls in its Level 2 baseline. Vendors selling cloud services to Texas agencies increasingly have to produce SBOM-aligned evidence as part of TX-RAMP assessment.
North Dakota, Virginia, Minnesota, and Washington have each incorporated SBOM or equivalent supply chain evidence expectations into specific procurements during 2023 and 2024, often in the context of large ERP, health Medicaid, or election-infrastructure acquisitions.
StateRAMP and the cloud path
StateRAMP, which began accepting authorizations in 2021 and reached meaningful scale in 2023, has become the closest thing to a unified cross-state standard for cloud service software supply chain. StateRAMP's Security Snapshot launched in mid-2023, and the full Authorized product list has grown to include Category 3 (high impact) products by late 2024. The program's control baseline derives from FedRAMP and NIST SP 800-53 Revision 5, and the supply chain risk management control family (SR) introduced in Rev 5 is a direct expression of federal EO 14028 direction at the state level.
A cloud vendor that has completed StateRAMP Ready or Authorized status at the Moderate or High level has implicitly met a meaningful portion of the supply chain expectations that states would otherwise ask about in bespoke procurements. For multi-state vendors, StateRAMP has become an efficient path.
The municipal and county layer
Municipal governments have moved more unevenly than states. Large cities — New York, Los Angeles, Chicago, Seattle, Denver — have dedicated cybersecurity leadership and have been integrating SBOM expectations into procurement. Smaller municipalities typically rely on their state's MS-ISAC affiliation and on CIS Controls for guidance. The Public Sector Cybersecurity Task Force and the National Association of State Chief Information Officers (NASCIO) have been attempting to provide model contract language that smaller jurisdictions can adopt without building their own program from scratch.
An interesting pattern emerged over 2024: ransomware incidents against smaller municipalities — the City of Dallas in May 2023, multiple Texas municipalities through the Royal and Akira ransomware campaigns, the February 2024 Change Healthcare incident that disrupted county benefits programs — put supply chain provenance front of mind for mayors and county executives who had previously left the question to IT. Several states responded by issuing guidance to local governments specifically on third-party software diligence.
What the procurement language looks like
A reasonably current state or municipal RFP for enterprise software now typically includes language similar to the following themes. The vendor must provide a software bill of materials in a standardized format (CycloneDX, SPDX) covering all direct and transitive open-source and commercial components. The SBOM must be refreshed on each major release. The vendor must attest to compliance with NIST SSDF practices or equivalent. The vendor must notify the state of known vulnerabilities affecting the delivered software within defined timelines, typically aligned with CVSS severity. The vendor must maintain an SOC 2 Type II, HITRUST, or ISO 27001 certification, updated annually.
Vendors who have been selling exclusively in the commercial market often find this language unfamiliar. Vendors who have been selling to federal agencies under the CISA Secure Software Development Attestation requirements find the state language broadly compatible but with different evidence expectations.
The enforcement question
State contract language is only as meaningful as its enforcement. Through 2024, enforcement has generally taken the form of procurement office pushback during evaluation rather than post-contract audits. That is changing. Several states — New York and California among them — have begun to include audit rights specifically over supply chain evidence in their standard contract terms. The New York State Comptroller's Office has authority to audit vendor compliance with information security terms, and its 2023 and 2024 audit reports have increasingly flagged supply chain diligence gaps.
The plausible near-term future is that state-level enforcement will accelerate on a parallel track with the CISA federal enforcement around the Secure Software Development Attestation Form. Vendors who treat state SBOM language as pro-forma will be caught off-guard when the first significant state enforcement action lands.
What vendors should build now
The practical preparation is straightforward in concept: maintain authoritative SBOMs for every product you sell, refresh them on every release, correlate them against live vulnerability feeds, and publish disclosures on the cadence your state contracts require. The hard part is operationalizing this at the scale of a vendor with dozens of products, thousands of dependencies, and a customer base that spans multiple jurisdictions with slightly different evidence expectations.
How Safeguard Helps
Safeguard builds the authoritative SBOMs state procurement offices are now demanding, in CycloneDX and SPDX, refreshed on every build so the evidence you submit is never stale. Reachability analysis separates the vulnerabilities that are actually exercised in your shipped binaries from the transitive long tail, letting your state account managers answer procurement questions with precision rather than worst-case estimates. Griffin AI correlates new CVE disclosures against every product SBOM you have published to every state customer, producing notification-ready drafts within minutes of an advisory. The TPRM module tracks your own upstream suppliers against StateRAMP and NIST SSDF expectations, and policy gates prevent a release from shipping if it would regress the supply chain posture you attested to in procurement.