The updated voluntary guidance reflects the evolution of SBOM practices and aims to help organizations better manage software supply chain risks.
The Cybersecurity and Infrastructure Security Agency (CISA) has released a draft guide, “Minimum Elements for a Software Bill of Materials (SBOM),” for public comment. The document incorporates lessons learned from increased SBOM generation and usage since 2021 and provides an updated baseline for how software component information is documented and shared.
For healthcare technology management (HTM) professionals, who manage an increasing number of software-driven medical devices, SBOMs are a key tool for improving cybersecurity. By providing a detailed inventory of a device’s software components, an SBOM helps organizations identify potential vulnerabilities and manage supply chain risks more effectively.
Since the National Telecommunications and Information Administration (NTIA) first published its SBOM Minimum Elements in 2021, the agency notes that practices have evolved with expanded tooling and greater stakeholder adoption. The new 2025 draft from CISA raises expectations for SBOMs to align with these current capabilities.
“This voluntary guidance will empower federal agencies and other organizations to make risk-informed decisions, strengthen their cybersecurity posture, and support scalable, machine-readable solutions,” says Chris Butera, CISA acting executive assistant director for cybersecurity, in a release. “We encourage members of the public to review this guidance and provide comment on how we can improve this list of minimum elements.”
Proposed Updates to SBOM Elements
The draft guidance introduces several new minimum elements, including the inclusion of component hash, license information, the name of the tool used to generate the SBOM, and generation context. It also updates existing elements for improved clarity, such as the SBOM author, software producer, and component version.
The public comment period for the draft guidance concludes on Oct 3, 2025. Following the review of public feedback, CISA will issue a revised version of the minimum elements.
ID 578969 © Dawn Hudson | Dreamstime.com
