CISA Releases Draft SBOM Guide for Public Comment

The US Cybersecurity and Infrastructure Security Agency (CISA) has released a draft update of its Software Bill of Materials (SBOM) minimum elements, inviting public feedback on the proposed guidance through October 3, 2025. The draft aims to reflect the progress made in SBOM practices since the original guidelines were issued in 2021.

For the eeNews Europe audience—particularly embedded systems engineers, cybersecurity specialists, and enterprise software vendors—this development signals a stronger push toward transparency in the software supply chain, a critical factor in managing security risks across increasingly complex systems.

SBOMs serve as a detailed inventory of a software product’s components—often described as the “ingredients list” of software. With more organizations now generating, sharing, and consuming SBOM data, the updated guidance raises the bar for what information should be included and how it should be documented.

Since the National Telecommunications and Information Administration (NTIA) issued the original SBOM Minimum Elements in 2021, the ecosystem has matured significantly. Tools for SBOM creation have improved, and both producers and consumers of SBOMs are now more familiar with their structure and use.

The 2025 draft introduces several new elements that reflect these advancements, including component hash, license, tool name, and generation context. Existing fields—such as component version, SBOM author, and software producer—have been clarified and updated to support broader adoption and automation.

CISA emphasized the collaborative nature of this update, encouraging input from both public and private stakeholders around the world.

“CISA remains focused on working with industry, interagency, and international partners to develop resources to increase SBOM adoption across the broader software ecosystem, the U.S. government, and the world,” said Chris Butera, Acting Executive Assistant Director for Cybersecurity at CISA. “SBOM is a valuable tool that helps software manufacturers with addressing supply chain risks and several best practices have evolved significantly in recent years. This voluntary guidance will empower federal agencies and other organizations to make risk-informed decisions, strengthen their cybersecurity posture, and support scalable, machine-readable solutions. We encourage members of the public to review this guidance and provide comment on how we can improve this list of minimum elements.”

The Federal Register hosts the draft for review, and the public can submit comments until October 3, 2025. CISA plans to finalize the guidance after reviewing public input.