The Cybersecurity and Infrastructure Security Agency (CISA) has issued a new draft guide for software bills of material (SBOMs) that makes several major updates to the minimum elements first published in 2021.The 2025 SBOM Minimum Elements draft document, released for public comment on August 22, 2025, aims to adapt SBOM adoption to the evolving tools, practices and expectations of the last four years.SBOMs serve as a “list of ingredients” for software components that help purchasers and adopters of these components understand their software supply chain risk and exposure to potential vulnerabilities among dependencies.The 2025 update adds additional clarity to the list of minimum elements CISA recommends SBOMs include, including new minimum elements and improved definitions for existing elements. For example, the new draft version adds component hash, license, tool name and generation context to the list of SBOM data fields. Tool name refers to the name of the tool used to create the SBOM, and generation context lets the SBOM recipient know at which phase of the software lifecycle the SBOM was generated.Major changes were also made to most of the other data fields, including “supplier name,” which was changed to “software producer” to reduce ambiguity about a software component’s source, and “other identifiers,” which was changed to “software identifiers” and now requires at least one identifier to be included.Changes were also made to the automation support and practices and processes sections of the original guide. The automation support received a minor update, in which software identification (SWID) tags were removed from the list of data formats, as they are not widely used.The practices and processes section had several major updates, including transformation of the “depth” element to the “coverage” element, recognizing the importance of both horizontal and vertical breadth in coverage of software component information. The updated “known unknowns” now makes a distinction between information that is purposely redacted versus that which is unknown to the SBOM author, and the “access control” section of the previous guide was removed and integrated into the new “distribution and delivery” element. Additionally, the “accommodation of mistakes” section was replaced with “accommodations of updates to SBOM data” and now emphasizes that SBOM authors should correct any errors promptly, rather than stating that consumers should be “tolerant of the occasional incidental error.”“The relative immaturity of SBOM adoption and implementation in 2021 made explicitly accommodating mistakes necessary. Technological developments since 2021 have significantly improved SBOM data quality, such that recipients can expect SBOM data to be accurate,” the latest guidance states.Stakeholders can submit their comments on the new SBOM Minimum Elements draft until October 3, 2025. CISA noted it is specifically seeking comments on topics including the removal or addition of elements, the improvement of definitions, and potential contexts where the proposed minimum elements would not be feasible.
Application security, DevSecOps, Supply chain

CISA releases draft changes to SBOM minimum requirements for comment


Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



