The hardware supply chain is a clear front in the global competition to control (or at least heavily influence) the global IT supply chain — and Hardware Bills of Materials (HBOMs) are emerging as the critical tool for transparency and risk reduction.

Why This Matters

HBOM requirements are being defined now — by groups like CISA and informed by security leaders like Allan Friedman, who will be on the OODAcon 2025 stage for a discussion of the “Hardware Supply Chain Security and HBOM“:

Hardware Bill of Materials (HBOM) advances supply chain security by bringing transparency to the components and dependencies in hardware systems, mirroring the role of Software BOMs (SBOM) in helping organizations proactively identify and mitigate vulnerabilities. Learn the latest on this new approach, which can allow rapid response and risk management when flaws or threats are discovered.

Critical infrastructure, defense systems, telecom networks, and emerging AI/ML workloads all depend on complex semiconductor supply chains. Yet organizations too often do not know what hardware components they are deploying — or where they come from. HBOMs offer visibility into active components, foreign ownership and control, hardware tampering, and counterfeit risks, enabling a stronger defensive posture and compliance readiness.

HBOM requirements are being defined now — by groups like CISA and informed by security leaders like Allan Friedman, who will be on the OODAcon 2025 stage for a discussion of the “Hardware Supply Chain Security and HBOM“:

Hardware Bill of Materials (HBOM) advances supply chain security by bringing transparency to the components and dependencies in hardware systems, mirroring the role of Software BOMs (SBOM) in helping organizations proactively identify and mitigate vulnerabilities. Learn the latest on this new approach, which can allow rapid response and risk management when flaws or threats are discovered.

Allen Friedman on the HBOM in 2025

Friedman warns that government mandates are accelerating, verification markets will rapidly emerge, and without proactive industry engagement, HBOM regulation may arrive before scalable solutions are in place.

This post is a pre-read of sorts for our OODAcon session with Allan – and is based on two, now seminal presentations by Allen in 2025 (April and August, respectively) on the HBOM: “What’s in the Box?—Hardware Bill of Material and what it means at RSAC 2025” and at DEF CON 33 – “What’s Really in the Box? The Case for Hardware Provenance and HBOMs.”

In his presentations earlier this year, Allan argued that the next major cybersecurity challenge is securing the hardware supply chain. He emphasizes that organizations increasingly rely on semiconductors sourced through opaque, globally distributed manufacturing ecosystems, making them vulnerable to counterfeits, tampering, undocumented components, and regulatory blind spots.

Building on the lessons of Software Bills of Materials (SBOMs), Friedman introduces Hardware Bills of Materials (HBOMs) as a foundational requirement for transparency, national security, and compliance — enabling stakeholders to map known risks, validate provenance, and implement tiered assurance models.

Key Points

• Hardware Provenance Is Now Strategic Risk: Tampering and counterfeits are increasing across defense and commercial supply chains.
• Government-Led Compliance Is Coming Fast: The U.S. and other governments will require country-of-origin validation for semiconductors within the next 6 years. Automotive and telecom regulations already prohibit some foreign-owned components.
• HBOM ≠ SBOM — But They Must Interoperate: Software Bills of Material (SBOMs) pioneered transparency; HBOM adds physical supply chain provenance and chain-of-custody tracking.
• Hardware Verification Will Become a High-Growth Market: Next-gen verification tools using robotics + AI will unlock scale and enable market assurance.
• Industry Pushback Expected: Supplier relationships are guarded as competitive advantage — HBOM models must attest to risk without exposing trade secrets.
• Common Data Models Are the Starting Point: HBOMs must begin with interoperable transparency layers — not perfect standards.
• OODA Loop Analysis: Hardware-Level Zero Trust Quantifiable assurance is becoming core to supply-chain governance and AI compute trust.

What Next?

• Regulation-led adoption begins
  • Early enforcement in telecom, national security electronics, defense, and vehicles.
• International alignment required
  • The EU Cyber Resilience Act and Japanese/Korean national strategies already reference HBOM constructs.
• AI-assisted traceability
  • Large language models will map disparate hardware + software provenance datasets.
• Security ratings for components
  • “Known badness” mapping becomes a live operational risk layer above BOM data.

Recommendations from Allen’s Presentations

For Executives: Begin HBOM pilots now in critical systems to avoid future compliance disruption.

For CISOs: Integrate HBOM into third-party risk management and Zero-Trust architecture reviews.

For Product + Engineering Leaders: Implement BOM tracking in active-component supply chain ERP/PLM workflows.

For Researchers & Policymakers: Standardize assurance tiers — mapping higher-risk domains to stronger attestations.

Additional OODA Loop Resources

Prepared for OODA Loop readers and OODAcon attendees working on HBOM, hardware provenance, and semiconductor supply‑chain security.

Curated readings to complement HBOM, hardware provenance, and supply-chain security workstreams:

Hardware-Level Zero Trust & Quantifiable Assurance

• Hardware-Level Zero Trust and Quantifiable Assurance are the Future of Compute and the Global IT Supply Chain: Argues that trust must be rooted in silicon and board-level attestations — positioning hardware-native controls as the anchor for supply-chain integrity and mission assurance.
• OODA Loop Research: On-Chip Zero Trust is the Future of AI and National Security: Explores how chip-level security primitives, isolation, and attestation underpin the defensibility of AI infrastructure and sensitive workloads.
• On-Chip Security Becomes Policy: The Next Phase in AI and Semiconductor Supply Chain Defense – Tracks the policy shift that is elevating on‑chip protections from best practice to formal requirement — with ripple effects across procurement and compliance.
• On-Chip Governance of the IT Supply Chain and AI Chip Security: Frames “governance at the chip edge” as a path to measurable assurance, connecting provenance, tamper-resistance, and continuous verification.

Semiconductor Geopolitics & Strategic Dependencies

• Does China Have Strategic Dominance over the Global IT Supply Chain?: Assesses concentration risks in upstream manufacturing and the policy levers shaping exposure across telecom, cloud, and critical infrastructure.
• Netherlands-based ASML Holding Remains the Central Player in the Global Chip Supply Chain: Underscores ASML’s singular role in EUV lithography and the security implications of chokepoints in advanced fabrication capability.
• Semiconductor Supply Chain Espionage: Data Stolen from ASML’s Technical Repository for EUV Chip Machines: Details a high-stakes IP theft incident, illuminating espionage and insider risks around the world’s most sensitive chipmaking tech.

Supply-Chain Resilience, Industrial Strategy & Procurement

• Materializing Tomorrow – Securing Supply Chains for National Competitiveness and ReindustrializationConnects reindustrialization goals to resilient supply chains, highlighting public‑private investments and governance models for national advantage.
• A “Faster, Secure Pipeline”: DoD Signals Awareness of the Challenges Faced by Small Business Tech ContractorsSummarizes DoD’s moves to streamline secure procurement — crucial for startups building HBOM/verification capabilities.

Legacy, Secondary Markets & Workload Demand

• The Secondary Chip and Hardware Markets: The Strategic Importance of Legacy ChipsExplains why “old” components remain mission-critical (autos, industrial, defense) — and how HBOM + provenance manage counterfeit risk in gray markets.
• The Current “On‑chip” Innovation and Physical Layer Market Dynamics of GPT Model Training, Crypto Mining, AI and the MetaverseSurveys demand shocks from AI and compute‑intensive workloads that amplify supply-chain pressure — and increase the payoff of HBOM‑driven assurance.