Blog on IntelliXBOM

SEBI's CSCRF Names SBOMs Here's What GV.SC.S5 Actually Demands (and Where It Still Leaves Gaps)

Mon, 13 Apr 2026 18:00:00 +0530

When SEBI published its Cybersecurity and Cyber Resilience Framework (CSCRF) in August 2024 (Circular SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113, 20 August 2024), many teams scanned the document for one question: does the capital markets regulator treat software supply chain risk as a first class problem?

The answer is yes, explicitly. Under Governance → Supply Chain Risk Management, Standard GV.SC.S5 mandates Software Bills of Materials (SBOMs) for Regulated Entities (REs), with SolarWinds and Apache Log4j cited as motivating context. That level of specificity is unusual and welcome for a financial sector framework.

Don't Trust the SBOM Your Vendor Gave You

Thu, 09 Apr 2026 12:00:00 +0530

Regulators across the world are finally getting serious about the software supply chain. India’s CERT-In SBOM Technical Guidelines (v2.0, July 2025) go beyond just SBOMs they extend to a broader BOM ecosystem, including CBOM, QBOM, AIBOM, and HBOM. This makes the requirement not just about software components, but about understanding the full composition of modern systems.

Globally, the direction is the same whether it’s the US Executive Order 14028, the EU Cyber Resilience Act, RBI Advisory 11/2024, or MeitY’s 2025 guidelines.

Your Vendor NDA Won't Stop a Supply Chain Attack

Mon, 06 Apr 2026 00:00:00 +0000

IRDAI’s New Rules Won’t Save You.

What the 2026 IRDAI Guidelines on Information and Cyber Security for Regulated Entities get right, what they miss, and the one capability every regulated insurer needs to deploy now.

The Insurance Regulatory and Development Authority of India (IRDAI) has significantly raised the bar with its amended Cybersecurity Guidelines 2023 (Annexure A). For every insurer and insurance intermediary operating in India, these amendments are not optional fine print they are a direct signal that cybersecurity governance must now match the sophistication of today’s threat landscape.

End of Life is a Blind Spot for Open-Source Packages in Your Supply Chain

Mon, 26 Jan 2026 00:00:00 +0530

By the time you discover a dependency is abandoned, it’s usually already a liability. Here’s why EOL detection can’t be a metadata lookup and what to do instead.

Your CI/CD pipeline is scanning for vulnerabilities. Your SCA tool is checking licenses. Your SBOM is up to date. But there’s a question none of those tools are consistently answering:

Is this open-source package still being maintained and if not, when did it stop?

Software Supply Chain Intelligence: Not Just an Inventory

Thu, 01 Jan 2026 00:00:00 +0530

Software Supply Chain Security

Most conversations about software supply chain security start and end with one question: do you have an SBOM?

That is the wrong question.

An SBOM Software Bill of Materials is, at its core, a structured list of components, libraries, and dependencies that make up a software product. For years, the industry treated possession of this list as a security milestone. Regulatory frameworks reinforce this narrative: produce an SBOM, share it with your customer, and check the compliance box.

Beyond SCA: Generating SBOMs, CBOMs, QBOMs, and AIBOMs at Runtime

Wed, 09 Jul 2025 10:00:00 +0530

Your SBOM is only telling you half the story here’s what it’s missing

Somewhere in your production environment right now, code is running that your SBOM doesn’t capture. A library is loaded that never made it into your inventory. A cryptographic routine is executing without ever being audited. An AI model serves requests from an untracked registry. Meanwhile, your SCA tool the one behind that reassuring green dashboard has no visibility into any of it.