CISA Seeks Comments on New SBOM Guidance

Effort Intended to Reduce Security Vulnerabilities in Vital Software Programs

CISA will accept comments on the draft SBOM guidance document through Oct. 3. | CISA

Aug 25, 2025 | Holden Mann

CISA is seeking comments on a draft guide to help federal agencies generate or request a software bill of materials for their products.

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) is calling for comments on a draft guide to help federal agencies generate or request a software bill of materials (SBOM) for their products.

CISA released the 2025 Minimum Elements for a Software Bill of Materials document on Aug. 22, asking for comments through Oct. 3. The draft builds on a 2021 document produced by the National Telecommunications and Information Administration (NTIA) at the direction of President Joe Biden in Executive Order 14028 in May of that year. (See Biden Directs Federal Cybersecurity Overhaul.)

SBOMs are formal records of each component used in building a software application, including its developer and supply chain. Modern applications are usually not individually coded from the ground up but built in large part from bits of code available in public or private repositories, which are often copied and pasted into developers’ projects with few changes.

This means that if one of these bits of code contains a vulnerability, it can spread quickly to customers throughout the world. This happened with Log4j, an open-source software library from Apache present in software used by companies in a wide range of industries. In December 2021, researchers discovered a weakness in the code that could be used by remote actors to take control of affected systems.

An SBOM helps to mitigate this issue by giving customers a quick, machine-readable reference for the provenance of various components. The NTIA’s guidance in 2021 “defined expectations for SBOM implementation,” CISA said in the introduction to its guidance, but with advancements in the “SBOM state of art” since then, the agency released the new document to update “baseline data fields, practices and processes for SBOMs generated or requested by U.S. agencies.”

3 Categories for Elements

Like the earlier document, CISA’s guidance separates the minimum elements into three categories: data fields, automation support and practices and processes. This organization is meant to “support an evolving approach to software transparency by capturing both the technology and the functional operation.”

Data fields provide baseline information about each component of the software application, including the developer, the component’s name, its version number, a timestamp of the most recent update to the SBOM data, any licenses under which it is made available and its relationships with other components. Some of these elements are updated from the NTIA guide for improved clarity, while others, such as the license, are new to CISA’s document.

Automation support means ensuring that the SBOM can be read as widely as possible through standardized file formats. CISA acknowledged that the decision about which format to use can vary based on factors specific to each organization and encouraged agencies to “accept any widely used, interoperable and machine-processable SBOM format,” though it also suggested readers not accept SBOMs in deprecated versions of any format in order to maintain the widest compatibility.

Elements of SBOM practices and processes include ensuring that a new SBOM is generated with each new build or release of a software application, listing all known software dependencies and identifying areas where information is incomplete, making SBOMs available promptly to those who need them and accommodating updates, including corrections to SBOM data.

The draft also provided further areas for consideration as SBOMs and their tooling continue to mature: SBOMs in cloud environments and artificial intelligence systems, validation methods for SBOM formats and correlating SBOMs with industry security advisories. CISA said continued discussion of these and other emerging issues can help ensure that the minimum elements and best practices keep up with the changing pace of industry evolution.

“[An] SBOM is a valuable tool that helps software manufacturers with addressing supply chain risks, and several best practices have evolved significantly in recent years,” Chris Butera, CISA acting executive assistant director for cybersecurity, said in a statement. “This voluntary guidance will empower federal agencies and other organizations to make risk-informed decisions, strengthen their cybersecurity posture and support scalable, machine-readable solutions.”

CISA is accepting feedback through the Federal Register. The agency said comments will be used to refine the document ahead of the final draft.

FERC & Federal