By: Kate Fazzini

As software bill-of-materials (SBOM) requirements move from guidance to procurement condition across federal agencies, the harder policy fight — who bears liability when a buried open-source component fails — is coming into view.

A recent Council on Foreign Relations analysis argued that transparency mandates like SBOM are necessary but insufficient: knowing what is inside a product does not, by itself, assign responsibility when that product is breached. The report pressed for a liability regime that reaches vendors who ship known-vulnerable code, while shielding good-faith maintainers of the open-source libraries those vendors depend on.

This maps closely onto themes JLCW authors raised in "The Supreme Art of War, on Subduing the Enemy without Fighting," which argues that effective defense requires preventive action to strengthen the supply chains feeding government and critical-infrastructure buyers — through rigorous compliance, regular audits, and thorough vetting of suppliers and their equipment.

The throughline is the same one animating §889(a)(1)(B) enforcement: procurement power is becoming the government's most-used cyber-policy lever. You can read the full argument in the Journal of Law and Cyber Warfare, Volume 9, Issue 2. – Kate Fazzini