At Upstream 2023, I participated in a fireside chat with Luis Villa (Tidelift) and my colleague Erik Schaufuss exploring the fascinating intersection between Software Bills of Materials (SBOMs) and Hardware Bills of Materials (HBOMs) within Deutsche Bahn’s complex supply chain. As Germany’s national railway company with hundreds of federated subsidiaries, we face unique challenges in managing both rolling stock hardware and the increasingly software-driven assets within trains. The discussion centered on how learnings from the software supply chain transparency movement – particularly around standards like CycloneDX – can inform and improve hardware supply chain management.
The conversation explored Deutsche Bahn’s federated corporate structure and how this complexity makes supply chain management particularly challenging yet critical. We discussed the need for standards to communicate information across organizational boundaries, the clash between traditional hardware procurement and modern software practices, and how tracking components in both domains presents parallel challenges. The fireside chat highlighted practical experiences in bridging the gap between software and hardware supply chain transparency, and the importance of ISO standards and industry collaboration in this evolving space.
This session demonstrated that whether dealing with software packages or physical train components, the fundamental challenges of transparency, traceability, and security have more in common than one might initially expect.
Comments