The latest update to CISA's SBOM indicates a consistent growth in its usage.
The Cybersecurity and Infrastructure Security Agency (CISA) has recently published a draft guide for the minimum elements of the Software Bill of Materials (SBOM), marking a significant step towards standardizing SBOMs globally. This draft guide updates a 2021 SBOM guide published by the Commerce Department's National Telecommunications and Information Administration (NTIA).
An SBOM is a machine-readable inventory of components, dependencies, and licenses that make up a software application. It has emerged as a key software security tool in recent years, although adoption has varied across government agencies and industry. The healthcare sector, in particular, has increased its use of SBOMs.
CISA's draft guide includes updates on the data fields that should be included in an SBOM, as well as practices and processes for the use of SBOMs. The guide emphasises that good software security practices extend beyond the use of SBOMs, but SBOMs lay the foundation for improved security practices.
The draft guide is required by a 2022 directive from the Office of Management and Budget, and the use of SBOMs that comply with CISA guidance is now mandatory. Agencies can use the insights gained from analysing SBOMs to drive security decisions about their software systems. Vulnerability management tools that can ingest SBOMs, analyse the data, and map it to other data sources will enable agencies to leverage data, intelligence, and actions driven by SBOMs.
The widespread Log4j software vulnerability sparked further adoption of SBOMs. Julie Davila, GitLab's vice president of product security, has stated that CISA's new draft guidance reflects the growing adoption and tooling around SBOMs. CISA acknowledges that SBOM minimum elements should evolve to maintain transparency into software components.
Allan Friedman, the leader of the SBOM effort at NTIA, left the Commerce agency in 2021 to join CISA as a senior advisor and continued to lead SBOM conversations at CISA before stepping down at the end of July. CISA is accepting comments on the draft guidance through Oct. 3. The draft guide proposes areas for "further consideration and potential guidance," including the use of SBOMs for software-as-a-service and the correlation of SBOMs with security advisories.
CISA, together with 18 international partner authorities including Germany's Federal Office for Information Security (BSI), published the current guideline for the minimum elements of the Software Bill of Materials (SBOM) in 2025 as part of a joint vision to standardize SBOMs globally. This joint effort aims to improve software security practices across industries and governments worldwide.
In a notable development, the Army has implemented new SBOM requirements. The widespread adoption and standardization of SBOMs will undoubtedly lead to improved software security practices, making digital systems more secure and resilient against cyber threats.
Read also:
- Understanding Hemorrhagic Gastroenteritis: Key Facts
- Expanded Community Health Involvement by CK Birla Hospitals, Jaipur, Maintained Through Consistent Outreach Programs Across Rajasthan
- Abdominal Fat Accumulation: Causes and Strategies for Reduction
- Deepwater Horizon Oil Spill of 2010 Declared Cleansed in 2024?
