CISA updates Software Bill of Materials (SBOM) minimum elements for public comment
Summary
Hide β²
Show βΌ
The Cybersecurity and Infrastructure Security Agency (CISA) released a draft of the Minimum Elements for a Software Bill of Materials (SBOM) for public comment. This update reflects advancements in SBOM practices, tooling, and stakeholder adoption since the 2021 guidelines. The draft includes new elements and updates existing ones to align with current capabilities. The public can submit comments until October 3, 2025. The SBOM is a tool that provides transparency into the software supply chain by documenting software components. This transparency helps organizations make risk-informed decisions and improve software security. The updated guidelines aim to empower federal agencies and other organizations to enhance their cybersecurity posture. However, experts have expressed concerns about the practicality and operationalization of SBOMs, calling for more sector-specific guidance and support for automation and vulnerability integration.
Timeline
-
22.08.2025 15:00 π° 2 articles
CISA releases updated SBOM minimum elements for public comment
CISA published a draft of the Minimum Elements for a Software Bill of Materials (SBOM) on August 22, 2025. This update includes new elements and clarifies existing ones to reflect advancements in SBOM practices and tooling. The public can submit comments until October 3, 2025, to help refine the guidelines. The new guidelines introduce requirements for machine-readable formats like SPDX and CycloneDX, and cryptographic hashes for components to verify software integrity. Experts express concerns about the practicality and operationalization of SBOMs, calling for more sector-specific guidance and support for automation and vulnerability integration.
Show sources
- CISA Issues Draft Software Bill of Materials Guide for Public Comment β www.cisa.gov β 22.08.2025 15:00
- CISA's New SBOM Guidelines Get Mixed Reviews β www.darkreading.com β 28.08.2025 18:17
Information Snippets
-
The draft Minimum Elements for a Software Bill of Materials (SBOM) includes new elements such as component hash, license, tool name, and generation context.
First reported: 22.08.2025 15:00π° 2 sources, 2 articlesShow sources
- CISA Issues Draft Software Bill of Materials Guide for Public Comment β www.cisa.gov β 22.08.2025 15:00
- CISA's New SBOM Guidelines Get Mixed Reviews β www.darkreading.com β 28.08.2025 18:17
-
Existing elements in the SBOM, such as SBOM author, software producer, and component version, have been updated for improved clarity.
First reported: 22.08.2025 15:00π° 1 source, 1 articleShow sources
- CISA Issues Draft Software Bill of Materials Guide for Public Comment β www.cisa.gov β 22.08.2025 15:00
-
The public comment period for the draft SBOM guidelines concludes on October 3, 2025.
First reported: 22.08.2025 15:00π° 2 sources, 2 articlesShow sources
- CISA Issues Draft Software Bill of Materials Guide for Public Comment β www.cisa.gov β 22.08.2025 15:00
- CISA's New SBOM Guidelines Get Mixed Reviews β www.darkreading.com β 28.08.2025 18:17
-
CISA encourages public input to improve the list of minimum elements for SBOMs.
First reported: 22.08.2025 15:00π° 2 sources, 2 articlesShow sources
- CISA Issues Draft Software Bill of Materials Guide for Public Comment β www.cisa.gov β 22.08.2025 15:00
- CISA's New SBOM Guidelines Get Mixed Reviews β www.darkreading.com β 28.08.2025 18:17
-
The updated SBOM guidelines aim to support scalable, machine-readable solutions for software supply chain transparency.
First reported: 22.08.2025 15:00π° 1 source, 1 articleShow sources
- CISA Issues Draft Software Bill of Materials Guide for Public Comment β www.cisa.gov β 22.08.2025 15:00
Similar Happenings
Guidelines for Secure AI Adoption in Enterprises
AI adoption in enterprises is accelerating rapidly, with employees leveraging AI for various tasks. This trend poses significant security risks due to the lack of control and safeguards. To address these challenges, security leaders need practical principles and technological capabilities to ensure safe AI usage. Five key rules for secure AI adoption have been outlined to help organizations balance innovation and protection. The rules emphasize the importance of visibility, contextual risk assessment, data protection, access controls, and continuous oversight. These guidelines aim to prevent security breaches and ensure compliance while allowing employees to experiment with AI tools.
CISA Releases Software Acquisition Guide: Supplier Response Web Tool
The Cybersecurity and Infrastructure Security Agency (CISA) has launched the Software Acquisition Guide: Supplier Response Web Tool. This interactive, no-cost resource helps IT decision-makers, procurement professionals, and software suppliers enhance cybersecurity throughout the software procurement lifecycle. The tool simplifies the assessment of software assurance and supplier risk, supporting secure-by-design and secure-by-default principles. The release is part of CISAβs broader effort to strengthen software supply chain resilience. The Web Tool breaks the guide into manageable sections, focuses on relevant questions based on user input, and enables exportable summaries for key decision-makers. It supports stronger due diligence and more secure procurement outcomes. The tool is available to federal, state, and local governments, as well as small and mid-sized businesses.
AI Security Policies: Gaps and Best Practices in AI Adoption
Organizations are rapidly adopting AI-powered solutions, often without comprehensive security policies. This leaves them vulnerable to various security threats. Only 28% of organizations have a formal AI policy, despite 81% acknowledging AI use within their teams. Security experts recommend establishing principle-based AI policies that include clear controls and adapt to evolving threats and regulations. Security risks include prompt injection attacks, hallucination, third-party model vulnerabilities, and shadow AI tools. Effective AI policies should guide innovation, set safety guardrails, and define acceptable use boundaries. Policies must be flexible and regularly updated to adapt to new regulations and threats.
CISA and Partners Release OT Asset Inventory Guidance
The Cybersecurity and Infrastructure Security Agency (CISA) and several international partners released new guidance to help operational technology (OT) owners and operators create and maintain comprehensive OT asset inventories and taxonomies. This guidance aims to enhance the security of critical infrastructure sectors by providing deeper visibility into OT assets, reducing risk, and ensuring operational resilience. The guidance is a collaborative effort involving the National Security Agency (NSA), Federal Bureau of Investigation (FBI), Environmental Protection Agency (EPA), and cybersecurity agencies from Australia, Canada, Germany, the Netherlands, and New Zealand. It is designed to help organizations identify and secure their most vital assets, reduce the risk of cybersecurity incidents, and ensure the continuity of their mission and services.
Business Logic Vulnerabilities in SaaS Platforms
Business logic vulnerabilities in SaaS platforms pose a significant threat to organizations. These vulnerabilities exploit the legitimate processing flows of applications to achieve unintended outcomes, often bypassing traditional security measures. The complexity of business processes makes them attractive targets for attackers, who can manipulate transactions, hijack user sessions, or gain unauthorized access to data. Examples include tampering with purchase processes, diverting frequent flyer points, and reusing discount codes. These vulnerabilities are unique to each organization and require a tailored approach for detection and prevention. Security teams must focus on human creativity and detailed documentation to identify potential weaknesses that automated systems might miss. Implementing a zero-trust security model, enforcing the least privilege principle, and continuous monitoring are crucial for mitigating these risks.