On Friday, CISA published a request for information (RFI) in the Federal Register (90 FR 41094-41095) on their draft update of the “2025 Minimum Elements for a Software Bill of Materials (SBOM)”. The original draft was published in July 2021, by DOC’s The National Telecommunications and Information Administration (NTIA) in response to requirements of President Biden’s EO 14028. CISA requests input on the clarifications and enhancements in the proposed voluntary guidance.
The 2025 version of the Minimum Elements expands on the three minimum elements as required by EO 14028, that were set out in the 2021 document:
Data Fields:
Documenting baseline information about each component that should be tracked,
Automation Support:
Allowing for scaling across the software ecosystem through automatic generation
and machine-readability, and
Practices and Processes: Defining the operations of SBOM requests, generation and use.
Appendix A provides an expanded list of SBOM data elements with Appendix B adding an explanation of the changes made to the data elements list.
Public Comments
CISA is soliciting public comments on this draft SBOM guidance documents. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov: Docket # CISA-2025-0007) Comments should be submitted by October 3rd, 2025.
A reminder, this is a proposed guidance document, not a
regulatory document. This means that there is a lack of specificity in what
CISA is expecting to see in the SBOM data elements.
For more information about what is included in the draft
document, including a commentary on the use of SBOMs, see my article at CFSN
Detailed Analysis - https://patrickcoyle.substack.com/p/cisa-publishes-2025-minimum-sbom
- subscription required.
Posts
No comments:
Post a Comment