This story (linked below Read More) is very high level and lacking any voices/inputs from people actually working in the trenches for 4+ years where SBOM's are already deployed and providing value.
The Linux Foundation held an SBOM DocFest on November 30 and apart from a few minor differences, the SBOM's that were used in the test met the NTIA minimum requirements for SBOM that may be produced for OMB M-22-18. There are ample SBOM tools available to consumers to process SBOM's and search for new vulnerabilities that may be installed within company computing systems. CycloneDX SBOM Tools are listed here SPDX SBOM tools are listed here.
Don't believe the rhetoric - find the truth - go look at the tools that are available to process SBOM's, then you can decide for yourself if SBOM is implementable today.
Trey Herr's observation is astute, "the amount of flack that the trade associations put up was both confusing and disingenuous,” Herr argues, especially given the urgent need to begin building and ingesting SBOMs.
The Trade Associations got what they asked for, SBOM was largely stripped from the Omnibus Bill, but this could turn out to be one of those cases where the vendors will regret getting what they asked for, at a high political cost. It's just a matter of time before a hacker group succeeds in knocking out critical infrastructure somewhere and all those members of Congress that stripped SBOM from the bill will be deluged with phone calls asking why they didn't do more to protect our critical infrastructure. Then they can tell their constituents why they crippled their cybersecurity professionals by blocking access to SBOM's that could have helped prevent the problem. All politics are local; Tip O'Neill.