The Cybersecurity and Infrastructure Security Agency (CISA) today released a draft of the first federal update to software bill of materials (SBOM) guidance since 2021, covering a new range of use cases, generation processes, and improvements to data quality.
CISA said it wants feedback by Oct. 3 on its new 17-page draft which updates the 2021 SBOM Minimum Elements set of guidance from the National Telecommunications and Information Administration to incorporate tooling advancements and adoption by raising “expectations for SBOMs to align with current capabilities.”
An SBOM is a software supply chain inventory list detailing all components and dependencies used in an application.
“SBOM is a valuable tool that helps software manufacturers with addressing supply chain risks and several best practices have evolved significantly in recent years,” said Chris Butera, acting executive assistant director for cybersecurity at CISA, in a statement.
New additions to the guidance include component hash, license, tool name, and generation context, while elements in the earlier version such as SBOM author, software producer, component version, and others were updated for improved clarity.
“This voluntary guidance will empower federal agencies and other organizations to make risk-informed decisions, strengthen their cybersecurity posture, and support scalable, machine-readable solutions,” said Butera. “We encourage members of the public to review this guidance and provide comment on how we can improve this list of minimum elements.”
Specifically, the updated guidance aims to incorporate lessons from increased SBOM generation and usage by providing an updated baseline that shows how software component information is documented and shared, CISA said.
While the guidance is intended for use by federal departments and agencies, the draft document states that it can be used by other organizations as well.
CISA said that the public can provide feedback via the Federal Register and that the agency is seeking answers on whether any elements should be removed or added, if definitions and processes are clear enough for automation, and whether the proposed requirements are feasible across different contexts, technologies, or sectors.