CyberHappenings logo

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

CISA, NSA, and international partners release joint SBOM cybersecurity guide

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and 19 international partners have released a joint guide on the value of software bill of materials (SBOM) for enhancing cybersecurity. The guide aims to inform software producers, procurers, and operators about the benefits of integrating SBOM into security practices. The initiative underscores the importance of SBOMs in identifying and mitigating supply chain vulnerabilities and encourages global alignment for interoperability and scalability. The guide emphasizes the need for international collaboration to advance software supply chain security and drive transparency in software creation and utilization. It highlights the role of SBOMs in providing visibility into software dependencies, enabling risk assessment, and proactive vulnerability mitigation. SBOMs improve security and reduce risks and costs by increasing transparency in software components. They help organizations address security risks in the software supply chain and enable greater visibility across an organization’s software supply chain and enterprise system.

Timeline

  1. 03.09.2025 15:00 2 articles · 26d ago

    CISA, NSA, and 19 international partners release joint SBOM cybersecurity guide

    The guide provides detailed information on the advantages of implementing SBOM generation, analysis, and sharing into security processes and practices. It argues that SBOM adoption improves security and reduces risks and costs by increasing transparency in software components. SBOMs help organizations address security risks in the software supply chain and enable greater visibility across an organization’s software supply chain and enterprise system. The guide emphasizes the need for international collaboration to advance software supply chain security and drive transparency in software creation and utilization. It highlights the role of SBOMs in providing visibility into software dependencies, enabling risk assessment, and proactive vulnerability mitigation. SBOMs should be machine-processable and shared downstream to respond to new risks more efficiently. The adoption of SBOMs lowers component management costs, downtime during vulnerability response, and the time needed to identify issues in discontinued components. Post-deployment SBOM monitoring helps identify vulnerable components for fast patching and licensing information. The guide also discusses the importance of automation in SBOM generation, management, and consumption.

    Show sources

Information Snippets

Similar Happenings

Supermicro BMC Firmware Vulnerabilities Allow Firmware Tampering

Two medium-severity vulnerabilities in Supermicro Baseboard Management Controller (BMC) firmware allow attackers to bypass firmware verification and update the system with malicious firmware. These vulnerabilities, CVE-2025-7937 and CVE-2025-6198, exploit flaws in the cryptographic signature verification process. The vulnerabilities affect the Root of Trust (RoT) security feature, potentially allowing attackers to gain persistent control over the BMC system and the main server OS. The issues were discovered by Binarly, a firmware security company. Supermicro has released firmware fixes for impacted models, and Binarly has released proof-of-concept exploits for both vulnerabilities. CVE-2025-7937 is a bypass for a previously disclosed vulnerability, CVE-2024-10237, which was reported by NVIDIA. CVE-2025-6198 bypasses the BMC RoT security feature, raising concerns about the reuse of cryptographic signing keys.

GitHub Strengthens npm Supply Chain Security with 2FA and Short-Lived Tokens

GitHub is implementing enhanced security measures to protect the npm ecosystem, including mandatory two-factor authentication (2FA) and short-lived tokens. These changes aim to mitigate supply chain attacks, such as the recent "s1ngularity", "GhostAction", and "Shai-Hulud" attacks, which involved a self-replicating worm and compromised thousands of accounts and private repositories. The measures include granular tokens with a seven-day expiration, trusted publishing using OpenID Connect (OIDC), and automatic generation of provenance attestations for packages. Additionally, GitHub is deprecating legacy tokens and TOTP 2FA, expanding trusted publishing options, and gradually rolling out these changes to minimize disruption. GitHub removed over 500 compromised packages and blocked new packages containing the Shai-Hulud malware's indicators of compromise. The company encourages NPM maintainers to use NPM-trusted publishing and strengthen publishing settings to require 2FA. Ruby Central is also tightening governance of the RubyGems package manager to improve supply-chain protections.

CISA's 2025 SBOM Guidelines Released with Mixed Feedback

The US Cybersecurity and Infrastructure Security Agency (CISA) released updated guidelines for Software Bills of Materials (SBOM) in August 2025. The new rules aim to enhance transparency among software and component vendors by mandating detailed SBOMs. While experts acknowledge progress, they express concerns about implementation, standardization, and operationalization. The guidelines require SBOMs to include component hashes, licenses, tool names, timestamps, and other identifiers to facilitate software supply chain visibility. The new rules also mandate machine-readable formats like SPDX and CycloneDX to drive automation and include cryptographic hashes for component verification. Despite these advancements, practitioners highlight the need for better vulnerability integration, automation, and practical guidance to make SBOMs truly operational.

CISA Publishes Draft Software Bill of Materials (SBOM) Guide for Public Comment

The Cybersecurity and Infrastructure Security Agency (CISA) has released a draft guide outlining the minimum elements for a Software Bill of Materials (SBOM). This updated guide reflects advancements in SBOM practices since 2021 and aims to enhance software supply chain transparency and security. The public can submit comments on this draft until October 3, 2025. The new draft includes additional elements such as component hash, license, tool name, and generation context. These updates are designed to align with current capabilities and provide organizations with more detailed information about their software components and supply chain. The goal is to empower federal agencies and other organizations to make risk-informed decisions and strengthen their cybersecurity posture.