CISA 2025 SBOM Draft Reflects Growth in Software Transparency

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a draft update to its Minimum Elements for a Software Bill of Materials (SBOM), marking a milestone in the U.S. government’s effort to strengthen software supply chain transparency.

The updated guidance, released for public comment, reflects the maturing state of SBOM tooling and implementation practices since the original NTIA framework was published in 2021.

Increasingly complex and interconnected software is making visibility into its components essential for both security and operational integrity. The updated draft introduces enhanced technical fields and addresses the evolving challenges of modern software ecosystems, including cloud-native applications and AI systems.

CISA is inviting stakeholders to submit feedback before the October 3 deadline.

Why It Matters: SBOMs have shifted from a niche concept to a foundational component of cybersecurity strategy. By enabling organizations to understand the “ingredients” of their software, SBOMs make it possible to quickly assess exposure to known vulnerabilities and manage risk across software lifecycles. The 2025 draft from CISA raises the bar for what effective SBOM implementation looks like, ensuring the standard keeps pace with technological advancements and real-world threats.

• Significant Expansion and Refinement of Data Fields: The updated guidance includes four new data elements: Component Hash, License, Tool Name, and Generation Context, to provide more actionable metadata about software components. These additions enable greater traceability and provide context behind SBOM generation. In addition, major updates to existing fields aim to resolve previous ambiguities and allow for more uniform and complete SBOMs across organizations and tools.

• Stronger Emphasis on Automation and Interoperability: Recognizing the scale and complexity of modern software environments, the 2025 draft reinforces the need for automation-friendly formats, specifically highlighting SPDX and CycloneDX as widely accepted standards. Agencies and organizations are urged to avoid outdated or deprecated formats to ensure compatibility with cybersecurity systems. CISA recommends regular review of supported formats to maintain alignment with evolving industry standards, ensuring long-term interoperability and effectiveness.

• Consideration for SaaS, Cloud, and AI-Driven Software: While the minimum elements are intended to be universally applicable, the draft acknowledges that SaaS and AI software present unique challenges not fully addressed by traditional SBOM models. For SaaS, frequent updates and shared responsibility between vendors and users complicate SBOM delivery and utility. For AI systems, the software supply chain may include supporting AI elements that are not captured in current SBOM structures. While the draft does not mandate new fields for these cases, it indicates that further guidance and possibly new SBOM elements may be necessary in the near future.

• Enhanced Practices: Coverage, Updates, and Known Unknowns: The new draft substantially updates the “Coverage” and “Known Unknowns” elements. Coverage now requires comprehensive inclusion of transitive dependencies, which enables organizational comprehension of software composition and identifies hidden vulnerabilities. The Known Unknowns field now distinguishes between missing data and intentionally redacted information, improving clarity for downstream consumers. There is also an expanded expectation for accommodating corrections and updates to SBOMs, underscoring the importance of timely and accurate information as part of ongoing risk management.

• Public Engagement and Finalization Timeline: The draft is open for public comment through October 3, 2025, allowing the technology community time to shape the final version. Feedback is being collected via the Federal Register and will inform CISA’s final guidance. This update comes as SBOMs and transparency are gaining traction outside government in sectors like healthcare and defense, which are adopting their own SBOM requirements.

Go Deeper -> 2025 Minimum Elements for a Software Bill of Materials (SBOM) – CISA

CISA’s new SBOM update reflects steady rise in adoption – Federal News Network