The Cybersecurity and Infrastructure Security Agency has released a draft of the updated Minimum Elements for a Software Bill of Materials, opening a public comment period as it works to strengthen transparency in the software supply chain.
Evolving Standards for SBOM
The draft builds on the 2021 SBOM Minimum Elements published by the National Telecommunications and Information Administration and reflects advances in tooling, usage and adoption of SBOM practices across government and industry. By incorporating such advancements, the new version raises expectations for how software components are documented and shared.
New challenges, vulnerabilities and concerns arise amid the growing global competition. The Potomac Officers Club’s 2025 Homeland Security Summit, hosted on Nov. 12, offers insights into the most pressing threats facing the country and the measures being implemented to counteract them. Join now to stay informed about key developments in homeland security.
CISA noted that SBOMs have become a critical tool in understanding software dependencies, identifying vulnerabilities and supporting risk-informed decision-making. The update adds new minimum elements, namely component hash, license, tool name and generation context, while clarifying existing requirements for SBOM author, software producer and component name, among other elements.
Chris Butera, CISA acting executive assistant director for cybersecurity, said the draft was developed in coordination with industry, interagency and international partners to support broader SBOM adoption.
“SBOM is a valuable tool that helps software manufacturers with addressing supply chain risks and several best practices have evolved significantly in recent years,” Butera noted. “This voluntary guidance will empower federal agencies and other organizations to make risk-informed decisions, strengthen their cybersecurity posture, and support scalable, machine-readable solutions. We encourage members of the public to review this guidance and provide comment on how we can improve this list of minimum elements.”
SBOM Guidance Public Comment Period
Members of the public may submit comments on the draft through Oct. 3. CISA plans to issue a revised version of the SBOM minimum elements after reviewing the feedback.
