Cybersecurity is hard enough. Doing it across federal agencies is a mammoth task.
A Software BOM is good. A services BOM is better. With whom are you outsourcing your storage, compute, identity, NLP, pattern recognition, etc? Who else touches my data or APIs or network or devices under your auspices? Give me something to audit and crawl to find data breaches, identity vulnerabilities, outages, etc.