CISA, NSA and 19 International Partners Release Shared Vision of Software Bill of Materials for Cybersecurity Guide
WASHINGTON – The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA) and 19 international partners released a joint guide today on the value that increased software component and supply chain transparency can offer to the global community by implementing software bill of materials (SBOM). This guide informs producers of software, organizations procuring software, and operators of software about the advantages of integrating SBOM generation, analysis, and sharing into security processes and practice.
As modern software increasingly relies on third-party and open source components, SBOMs offer a foundational step toward understanding and mitigating supply chain vulnerabilities. This guide emphasizes the importance of SBOMs in identifying risks within software components and encourages their integration into security practices. It encourages alignment of SBOM technical implementations across countries and sectors to help ensure interoperability, reduce complexity, and enable scalable adoption.
“The ever-evolving cyber threats facing government and industry underscore the critical importance of securing software supply chain and its components. Widespread adoption of SBOM is an indispensable milestone in advancing secure-by-design software, fortifying resilience, and measurably reducing risk and cost,” said Madhu Gottumukkala, Acting Director of CISA. “This guide exemplifies and underscores the power of international collaboration to deliver tangible outcomes that strengthen security and build trust. Together, we are driving efforts to advance software supply chain security and drive unparalleled transparency, fundamentally improving decision-making in software creation and utilization.”
An SBOM is a formal record detailing the components and supply chain relationships used in building software. SBOMs act as a software “ingredients list” providing organizations with essential visibility into software dependencies, enabling them to identify components, assess risks, and take proactive measures to mitigate vulnerabilities.
Software producers, purchasers, and operators are encouraged to review this guide and integrate SBOM generation, analysis and sharing into their security practices. A coordinated, global approach to SBOM will reduce complexity, improve effectiveness, and support secure-by-design software development.
This guide reflects and reinforces the importance of international cooperation that produces outcomes that reduce risk and strengthen trust. Leadership statements from co-authoring organizations are located at Statements of Support on A Shared Vision of SBOM for Cybersecurity.
For more information on CISA’s SBOM guidance and resources, visit the SBOM webpage on CISA.gov.
###
About CISA
As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.
Visit CISA.gov for more information and follow us on X, Facebook, LinkedIn, Instagram.