CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

CISA Publishes Draft Software Bill of Materials (SBOM) Guide for Public Comment

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

The Cybersecurity and Infrastructure Security Agency (CISA) has released a draft guide outlining the minimum elements for a Software Bill of Materials (SBOM). This updated guide reflects advancements in SBOM practices since 2021 and aims to enhance software supply chain transparency and security. The public can submit comments on this draft until October 3, 2025. The new draft includes additional elements such as component hash, license, tool name, and generation context. These updates are designed to align with current capabilities and provide organizations with more detailed information about their software components and supply chain. The goal is to empower federal agencies and other organizations to make risk-informed decisions and strengthen their cybersecurity posture.

Timeline

  1. 22.08.2025 15:00 1 articles · 1mo ago

    CISA Publishes Draft SBOM Guide with Updated Minimum Elements

    On August 22, 2025, CISA released a draft guide outlining the minimum elements for a Software Bill of Materials (SBOM). This updated guide includes new elements such as component hash, license, tool name, and generation context, as well as updates to existing elements for improved clarity. The public comment period for this draft will run until October 3, 2025.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

GitHub Strengthens npm Supply Chain Security with 2FA and Short-Lived Tokens

GitHub is implementing enhanced security measures to protect the npm ecosystem, including mandatory two-factor authentication (2FA) and short-lived tokens. These changes aim to mitigate supply chain attacks, such as the recent "s1ngularity", "GhostAction", and "Shai-Hulud" attacks, which involved a self-replicating worm and compromised thousands of accounts and private repositories. The measures include granular tokens with a seven-day expiration, trusted publishing using OpenID Connect (OIDC), and automatic generation of provenance attestations for packages. Additionally, GitHub is deprecating legacy tokens and TOTP 2FA, expanding trusted publishing options, and gradually rolling out these changes to minimize disruption. GitHub removed over 500 compromised packages and blocked new packages containing the Shai-Hulud malware's indicators of compromise. The company encourages NPM maintainers to use NPM-trusted publishing and strengthen publishing settings to require 2FA. Ruby Central is also tightening governance of the RubyGems package manager to improve supply-chain protections.

Open in new tab

CISA, NSA, and international partners release joint SBOM cybersecurity guide

The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and 19 international partners have released a joint guide on the value of software bill of materials (SBOM) for enhancing cybersecurity. The guide aims to inform software producers, procurers, and operators about the benefits of integrating SBOM into security practices. The initiative underscores the importance of SBOMs in identifying and mitigating supply chain vulnerabilities and encourages global alignment for interoperability and scalability. The guide emphasizes the need for international collaboration to advance software supply chain security and drive transparency in software creation and utilization. It highlights the role of SBOMs in providing visibility into software dependencies, enabling risk assessment, and proactive vulnerability mitigation. SBOMs improve security and reduce risks and costs by increasing transparency in software components. They help organizations address security risks in the software supply chain and enable greater visibility across an organization’s software supply chain and enterprise system.

Open in new tab