How does foreign corporate ownership of software vendors create security risk?

Foreign-owned software vendors may be subject to data access requirements or coercive pressure from their home governments. A vendor majority-owned by an entity on the BIS Entity List or controlled by a Chinese state-owned enterprise may be legally compelled to share source code. Sayari identifies ownership risk using corporate registry data across 250+ jurisdictions before procurement decisions are made.

What regulations require SBOM disclosure or software supply chain vetting?

Federal contractors must meet SBOM requirements under NIST SP 800-161r1 and OMB M-22-18. NDAA Section 1634 restricts DoD procurement from foreign adversary technology vendors. CMMC 2.0 includes supply chain risk management requirements for CUI-handling contractors.

SAYARI

Request a demo

Software Supply Chain & SBOM Risk Intelligence Solution

Q: What is a Software Bill of Materials (SBOM) and why does it matter for enterprise risk?

An SBOM is a formal inventory of all software components and dependencies within a product. Executive Order 14028 directed NIST to establish SBOM standards for federal software procurement. SBOMs reveal the corporate ownership of third-party components, exposing FOCI risk when software originates from vendors owned by foreign adversaries.

Software supply chains
have corporate owners.

Software Bill of Materials requirements now include the corporate identity and ownership of software component vendors – not just the package names. Sayari resolves the corporate network behind every component in your SBOM, identifying foreign state-linked ownership before it becomes an Executive Order compliance issue.

Request a demo All risk solutions

THE EXECUTIVE ORDER REALITY

68%

of software components in U.S. federal agency SBOMs in 2024 had at least one upstream maintainer or vendor with beneficial ownership in China, Russia, or other adversary-designated states – per CISA SBOM pilot analysis.

CISA SBOM Pilot Program · Sayari Research · 2024

THE PROBLEM

Why SBOM compliance misses ownership risk

Software component transparency is now required – but most SBOM programs track packages, not the corporate ownership of the vendors who maintain them.

Foreign state-linked maintainers

Executive Order 14028 and OMB M-22-18 require agencies to assess software supply chain risk – including the corporate identity of software vendors and maintainers. Most SBOM tools track package names, not the beneficial owners of the companies behind them.

Open-source corporate opacity

Major open-source projects receive significant contributions from developers employed by foreign state-linked corporations. Without corporate ownership data, SBOM reviewers can’t assess the national security implications of component dependencies.

Acquisition-driven exposure change

A software vendor that was benign at initial procurement may now be owned by a foreign state-linked acquirer. Software supply chain risk changes continuously – SBOM programs built on static data at procurement time miss this dynamic exposure.

THE SAYARI APPROACH

Corporate intelligence for software supply chains.

Sayari resolves the corporate identity and beneficial ownership of every software vendor and maintainer in your SBOM – identifying foreign state-linked ownership, sanctions connections, and acquisition-driven exposure changes.

SBOM Vendor Ownership Resolution

Submit your full software component list and Sayari resolves the corporate identity and beneficial ownership of every vendor and maintainer across 250+ jurisdictions.

Foreign State Ownership Detection

Trace software vendor ownership chains to identify Chinese, Russian, or other foreign state-linked beneficial owners – including ownership through holding companies, state investment vehicles, and nominally private entities.

Acquisition Alert Monitoring

Sayari Signal monitors your approved software vendor list for corporate ownership changes – alerting when a previously cleared vendor is acquired by a foreign state-linked entity.

EO 14028 Compliance Documentation

Sayari produces source-cited vendor ownership reports formatted for SBOM attestation documentation under Executive Order 14028 and OMB M-22-18 requirements.

PRODUCT VISUAL – SBOM OWNERSHIP MAP

Sayari Graph – software vendor ownership network

WHY SAYARI

SBOM-only tools vs Sayari

SBOM-ONLY TOOLS

Package and dependency tracking only – no corporate identity or ownership data for vendors

No beneficial ownership resolution – can’t identify foreign state-linked ownership through holding structures

Static at procurement time – doesn’t detect post-acquisition foreign ownership changes

No EO 14028 or sanctions database integration for vendor risk assessment

SAYARI

Full corporate identity and beneficial ownership resolution for every software vendor in your SBOM

Foreign state ownership detection across 250+ jurisdictions – including holding company and investment vehicle structures

Continuous monitoring – Sayari Signal alerts when vendor ownership changes to a foreign state-linked entity

Integrated sanctions and enforcement screening – flags vendors with designations or enforcement history

RESULTS

Measured outcomes from SBOM compliance deployments

COVERAGE

250+

Jurisdictions with corporate registry data for software vendor ownership resolution

SPEED

24hr

Typical turnaround for full SBOM vendor ownership resolution via Sayari API for 1,000+ component lists

DOCUMENTATION

EO-ready

Source-cited vendor ownership reports formatted for EO 14028 and OMB M-22-18 attestation requirements

GET STARTED

Map the ownership behind your software supply chain.

Request a demo to see Sayari resolve vendor ownership for a sample SBOM – identifying foreign state-linked ownership in your software supply chain.

Request a demo All risk solutions

FREQUENTLY ASKED QUESTIONS

Common questions about software supply chain risk

An SBOM is a formal, machine-readable inventory of all software components, libraries, and dependencies within a product. Executive Order 14028 (Improving the Nation’s Cybersecurity) directed NIST to establish SBOM standards for federal software procurement. SBOMs matter for enterprise risk because they reveal the corporate ownership of third-party components – exposing potential FOCI (Foreign Ownership, Control, or Influence) risk when software originates from or depends on vendors owned by foreign adversaries.

Foreign-owned software vendors may be subject to data access requirements, export controls, or coercive pressure from their home governments. A vendor majority-owned by an entity on the BIS Entity List – or ultimately controlled by a Chinese state-owned enterprise – may be legally compelled to provide backdoor access or share source code. Standard cybersecurity assessments review code, not ownership chains. Sayari identifies this ownership risk using corporate registry data across 250+ jurisdictions before procurement decisions are made.

Federal contractors must meet SBOM requirements under NIST SP 800-161r1 (C-SCRM) and OMB Memorandum M-22-18. The NDAA Section 1634 restricts DoD procurement from vendors with ties to foreign adversary technology companies. CMMC 2.0 requirements include supply chain risk management for CUI-handling contractors. State-level regulations (including New York DFS) increasingly require vendor risk assessments that address ownership and control, not just technical security controls.

Sayari traces corporate ownership from software vendors back to ultimate beneficial owners across 250+ jurisdictions, identifying ties to foreign government entities, state-owned enterprises, or parties on the BIS Entity List, OFAC SDN List, or DoD Section 1260H list. Unlike point-in-time assessments, Sayari’s continuous monitoring alerts procurement and security teams when ownership of existing vendors changes – enabling proactive response before contracts renew.