https://intellixbom.com/tags/cscrf/Recent content in CSCRF on IntelliXBOMHugoen-usMon, 13 Apr 2026 18:00:00 +0530https://intellixbom.com/blog/sebi-cscrf-sbom-gv-sc-s5-capital-markets/Mon, 13 Apr 2026 18:00:00 +0530https://intellixbom.com/blog/sebi-cscrf-sbom-gv-sc-s5-capital-markets/<p>When SEBI published its <strong>Cybersecurity and Cyber Resilience Framework (CSCRF)</strong> in August 2024 (<strong>Circular SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113</strong>, 20 August 2024), many teams scanned the document for one question: <em>does the capital markets regulator treat software supply chain risk as a first class problem?</em></p> <p>The answer is <strong>yes, explicitly</strong>. Under <strong>Governance → Supply Chain Risk Management</strong>, Standard <strong>GV.SC.S5</strong> mandates <strong>Software Bills of Materials (SBOMs)</strong> for Regulated Entities (REs), with <strong>SolarWinds</strong> and <strong>Apache Log4j</strong> cited as motivating context. That level of specificity is unusual and welcome for a financial sector framework.</p>