CISA Proposes New SBOM Requirements Under Biden Administration
▼ Summary
– CISA is requesting public comments on an updated version of the 2021 NTIA SBOM Minimum Elements guideline to reflect improvements in SBOM tooling and maturity.
– An SBOM is a machine-readable document listing all software packages and dependencies used by an organization, aimed at enhancing cybersecurity.
– The original 2021 guideline was directed by President Biden’s Executive Order on Improving the Nation’s Cybersecurity, and a 2022 order required vendors to provide SBOMs to the US government.
– Recent changes include the departure of a key SBOM advocate and the reported shutdown of CISA’s SBOM Working Group, with OpenSSF announcing it will launch a successor.
– The SBOM community has grown since 2021, with increased participation from the open source community and expanded tooling capabilities beyond generation to sharing and analysis.
The US Cybersecurity and Infrastructure Security Agency (CISA) is seeking public input on an updated framework outlining the essential components for a software bill of materials (SBOM). This initiative reflects ongoing efforts to strengthen cybersecurity across federal software supply chains, ensuring greater transparency and resilience against threats.
An SBOM serves as a detailed, machine-readable inventory of all software components and dependencies used within an organization. It includes open-source elements and other foundational code, providing a clear view of what makes up a given software product.
Back in 2021, the National Telecommunications and Information Administration (NTIA) released the initial “Minimum Elements” document for SBOMs. This guidance emerged in response to President Biden’s Executive Order 14028, which focused on enhancing national cybersecurity. The following year, the White House mandated that software vendors working with the US government must provide an SBOM, aiming to secure every link in the supply chain.
This move was not without controversy. Several cybersecurity industry groups expressed concerns, calling for a delay in SBOM requirements for defense contractors. They argued that the supporting tools and practices were not yet mature enough for widespread implementation.
In September 2022, the Office of Management and Budget issued memorandum M-22-18, tasking CISA with developing updated guidance to replace the 2021 NTIA standards. This directive emphasized secure software development practices as a cornerstone of supply chain safety.
Recent developments suggest a shift in how SBOM adoption is being advanced. Allan Friedman, a key figure leading CISA’s SBOM initiatives since 2021, departed the agency in July 2025. Shortly after, the Open Source Security Foundation (OpenSSF) announced it would take over the work of CISA’s SBOM Working Group, though CISA has not officially confirmed the group’s closure.
CISA now aims to release a revised version of the SBOM Minimum Elements to align with technological progress and growing practical experience. The agency notes that the SBOM ecosystem has evolved significantly since 2021, with new tools enabling not only generation but also sharing, analysis, and management of these critical documents.
Community involvement has also expanded, with stronger participation from open-source developers and broader industry engagement. CISA is encouraging feedback from all interested parties, including specialists, academics, industry representatives, and public interest groups, to help shape the new guidelines. The deadline for submitting comments is October 3, 2025.
(Source: Info Security)
