NTIA EO14028 Compliance
Background:
US Executive Order 14028 (May 2021) requires all software sold to the US federal government to include a Software Bill of Materials. The NTIA (National Telecommunications and Information Administration) defined the minimum data fields required in every SBOM.
The 7 NTIA Minimum Elements:
| # | Element | NTIA Definition | How Deptic collects it |
|---|---|---|---|
| 1 | Supplier Name | The name of an entity that creates, defines, and identifies components | For npm: package author field from registry. For Maven: groupID. For pip: PyPI maintainer. Note: often unavailable — most common reason for scores below 100. |
| 2 | Component Name | Designation assigned to a unit of software defined by the originating supplier | Package name field from manifest |
| 3 | Version of the Component | Identifier used by the supplier to specify a change in software from a previously identified version | Version field from manifest and registry |
| 4 | Other Unique Identifiers | Other identifiers that are used to identify a component, or serve as a look-up key | Package URL (PURL) generated per component using standard pkg: scheme |
| 5 | Dependency Relationship | Characterizing the relationship that an upstream component X is included in software Y | Depth field: 0=direct, 1=transitive L1, 2=transitive L2. ParentName field links child to parent. |
| 6 | Author of SBOM Data | The name of the entity that creates the SBOM data for this component | "Deptic v1.2.0" set as SBOM author in all exports |
| 7 | Timestamp | Record of the date and time of the SBOM data assembly | UTC timestamp set at scan completion |
Scoring algorithm:
go
score = 0
Element 1 (Supplier):
coverage = components with non-empty supplier / total components
if coverage == 100% → +14 points
else → +14 * (coverage / 100)
Element 2 (Component Name):
coverage = components with non-empty name / total
passed = coverage == 100%
if passed → +14 points
Element 3 (Version):
coverage = components where version != "" AND != "unknown" AND != "latest"
passed = coverage == 100%
if passed → +14 points
Element 4 (Unique Identifiers / PURL):
valid PURL = name + version + ecosystem all present
coverage = components with valid PURL / total
if coverage == 100% → +14 points
Element 5 (Dependency Relationships):
count = components where depth > 0 AND parent_name != ""
passed = count > 0
if passed → +14 points
Element 6 (SBOM Author):
passed = sbom_author != "" AND sbom_tool != ""
if passed → +14 points
Element 7 (Timestamp):
passed = generated_at is valid and within last 365 days
if passed → +14 points
final_score = sum of all elements (max 100, 2 points rounding)Compliance status thresholds:
| Score | Status | Meaning |
|---|---|---|
| 95–100 | COMPLIANT | Meets all NTIA minimum elements |
| 75–94 | PARTIALLY COMPLIANT | Meets most elements, minor gaps |
| 0–74 | NON-COMPLIANT | Significant data gaps — not suitable for federal submission |
The most common reason for scores below 100 is missing Supplier Name data. npm packages rarely include author metadata. Maven packages using groupID as supplier (e.g., org.springframework) are considered compliant for this element.