SBOM Requirements Under SEBI CSCRF

Under the SEBI CSCRF framework, regulated entities must maintain comprehensive SBOMs for their critical systems. The requirements vary based on the entity's classification:

• Qualified REs and MIIs: Must implement comprehensive SBOM management for all critical systems, with regular updates and thorough documentation. Market Infrastructure Institutions (MIIs) are held to the highest standards, requiring detailed SBOMs with complete dependency mapping.
• Mid-size REs: Need to maintain SBOMs for key systems with less stringent requirements for update frequency and depth of dependency tracking.
• Small-size REs: Required to implement basic SBOM practices focusing on primary components and direct dependencies.
• Self-certification REs: Expected to maintain simplified SBOMs focusing on critical components.

‍

‍

Integration with Cyber Capability Index (CCI)

The SEBI CSCRF framework incorporates SBOM management as a key parameter in the Cyber Capability Index (CCI), which quantifies an organization's cybersecurity maturity. Effective SBOM practices contribute significantly to an entity's CCI score, with different expectations based on the entity type:

• Qualified REs must maintain a minimum CCI score of 61
• MIIs are expected to achieve a "Manageable" score of 71 or higher
• Small-size REs need a minimum score of 51

Robust SBOM implementation helps organizations achieve these required CCI thresholds by demonstrating maturity in software supply chain security.

‍

‍

SBOM Documentation and Reporting

The SEBI CSCRF framework requires regulated entities to:

• Document all software components in critical trading, settlement, and risk management systems
• Include essential SBOM elements such as component names, versions, suppliers, licenses, and cryptographic hashes
• Maintain information about encryption used, access controls, and error handling methods
• Track "known unknowns" where complete dependency information may not be available
• Update SBOMs whenever components change or new vulnerabilities are discovered

These requirements ensure that financial institutions maintain visibility into their software supply chains and can respond quickly to emerging threats.

‍

‍

Compliance Timeline and Audits

According to the latest SEBI circular (SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2025/60) dated April 30, 2025, regulated entities must achieve SBOM compliance by June 30, 2025. The audit requirements vary by entity classification:

• Qualified REs and MIIs: Independent cybersecurity audit every 6 months, including SBOM verification
• Mid-size REs: Annual independent cybersecurity audit
• Small-size REs: Biennial (every two years) independent cybersecurity audit

During these audits, entities must demonstrate that their SBOMs are accurate, comprehensive, and regularly maintained according to SEBI guidelines.

‍

‍

SBOM in Risk Management

The SEBI CSCRF framework positions SBOMs as a critical tool for risk management, requiring financial institutions to:

• Use SBOMs to identify vulnerable components quickly
• Incorporate SBOM analysis into vendor risk management processes
• Maintain SBOMs for critical systems to ensure rapid response to security incidents
• Leverage SBOMs to demonstrate regulatory compliance during SEBI audits

By implementing robust SBOM practices, regulated entities can significantly enhance their security posture while meeting SEBI's regulatory requirements.