CISA Issues Draft Software Bill of Materials Guide for Public Comment
WASHINGTON – Today, the Cybersecurity and Infrastructure Security Agency (CISA) released a draft Minimum Elements for a Software Bill of Materials (SBOM) for public comment. Reflecting the growing maturity of SBOM practices, this guide incorporates lessons learned from increased SBOM generation and usage and provides an updated baseline for how software component information is documented and shared. Members of the public may submit public comment on this guidance starting today.
Software continues to underpin critical systems and services, and transparency into its composition is essential. SBOMs illuminate the software supply chain by providing data about software’s ingredients. Analysis of SBOM data gives organizations insights about their software that can then drive actions to improve software security.
Since the 2021 SBOM Minimum Elements was published by the National Telecommunications and Information Administration (NTIA), SBOM practices have evolved significantly to include expanded tooling and increased stakeholder familiarity and adoption. The advancements of tooling and adoption allow organizations requesting SBOMs to demand more information about their software components and supply chain than they could have in 2021. By incorporating these advancements, the 2025 SBOM Minimum Elements raises expectations for SBOMs to align with current capabilities.
“CISA remains focused on working with industry, interagency, and international partners to develop resources to increase SBOM adoption across the broader software ecosystem, the U.S. government, and the world. SBOM is a valuable tool that helps software manufacturers with addressing supply chain risks and several best practices have evolved significantly in recent years,” said CISA Acting Executive Assistant Director for Cybersecurity Chris Butera. “This voluntary guidance will empower federal agencies and other organizations to make risk-informed decisions, strengthen their cybersecurity posture, and support scalable, machine-readable solutions. We encourage members of the public to review this guidance and provide comment on how we can improve this list of minimum elements.”
Additions introduced in the draft Minimum Elements for a SBOM include component hash, license, tool name, and generation context. Existing elements, such as SBOM author, software producer, component version, and others, have been updated for improved clarity. The public comment period concludes on October 3, 2025. During the comment period, members of the public can provide comments and feedback via Federal Register: Request for Comment on 2025 Minimum Elements for a Software Bill of Materials. Following the public comment period, CISA will issue a revised version of the minimum elements.
For more information and resources, visit Software Bill of Materials (SBOM) on CISA.gov.
###
About CISA
As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.
Visit CISA.gov for more information and follow us on X, Facebook, LinkedIn, Instagram.