The US cybersecurity agency CISA is seeking public feedback on updated guidance for the minimum elements for a Software Bill of Materials (SBOM).
Building on the 2021 NTIA SBOM Minimum Elements, the guidance (PDF) reflects changes in supply chain security and software transparency and aims to help organizations more efficiently manage software risks.
SBOMs provide organizations with a detailed inventory of software components, helping them identify vulnerabilities, perform risk assessments, and make informed decisions regarding the applications they deploy and use.
“As adoption of SBOMs has grown across the public and private sectors, so too has the need for machine-processable formats that support scalable implementation and integration into broader cybersecurity practices,” CISA notes.
The draft guidance details the benefits of SBOMs and how their implementation improves software component transparency, arguing that the minimum elements, which specify the baseline technology and practices that every SBOM should meet, are driving security.
The minimum elements have been split into three categories, namely data fields, automation support, and practices and processes.
At the core of an SBOM, the guidance explains, is the information about each software component, structured within data fields, to help identify and track the components across the software supply chain and map them to various sources of data, such as vulnerability databases.
An SBOM should include data fields such as the SBOM author, the software producer, component name, component version, software identifiers, component hash, license, dependency relationship, the name of the tool used to generate the SBOM, timestamp, and generation context.
Support for automation, the guidance shows, is critical for the management of software components at scale, and is present within SBOMs that are compatible with one another. Minimum support for automation involves supporting widely used, open source, and compatible data formats.
Currently, there are two data formats widely used by the software ecosystem, namely Software Package Data eXchange (SPDX) and CycloneDX, which are both machine-processable and human-readable.
“An organization’s practices and processes for SBOM use should integrate SBOMs into the software development life cycle. An organization should explicitly address these elements in any policy, contract, or arrangement to ask for or provide SBOMs,” the guidance reads.
SBOM integration elements that organizations should consider include frequency of generation, coverage, dependency information that is unknown, distribution and delivery, and accommodation of updates to SBOM data.
CISA’s updated guidance also covers the implementation of SBOMs in cloud and AI software, SBOM data validation, and the correlation of SBOMs with security advisories.
“As new use cases emerge and technology evolves, SBOM minimum elements should evolve to continue to provide transparency into software components. An SBOM alone is data about software components. Analysis of SBOMs transforms data into insights about associated risks,” the guidance reads.
CISA opened the public comment period for the updated guidance on August 22. Interested parties have until October 3, 2025, to provide feedback, via the Federal Register.
Related: MITRE Updates List of Most Common Hardware Weaknesses
Related: Tight Cybersecurity Budgets Accelerate the Shift to AI-Driven Defense
Related: US Announces $100 Million for State, Local and Tribal Cybersecurity
Related: Sean Cairncross Confirmed by Senate as National Cyber Director
