Request for Comment on 2025 Minimum Elements for a Software Bill of Materials

Issuing agencies

Abstract

The Cybersecurity and Infrastructure Security Agency (CISA) announces the publication and request for public comment on draft guidance entitled, "2025 Minimum Elements for a Software Bill of Materials (SBOM)" (2025 CISA SBOM Minimum Elements), which updates the elements of an SBOM to reflect improvements in SBOM tooling and increased maturity of SBOM implementation. CISA requests input on the clarifications and enhancements in the proposed voluntary guidance.

Full Text

<html>
<head>
<title>Federal Register, Volume 90 Issue 161 (Friday, August 22, 2025)</title>
</head>
<body><pre>
[Federal Register Volume 90, Number 161 (Friday, August 22, 2025)]
[Notices]
[Pages 41094-41095]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2025-16147]


-----------------------------------------------------------------------

DEPARTMENT OF HOMELAND SECURITY

[Docket No. CISA-2025-0007]


Request for Comment on 2025 Minimum Elements for a Software Bill 
of Materials

AGENCY: Cybersecurity and Infrastructure Security Agency (CISA), 
Department of Homeland Security (DHS).

ACTION: Request for Information (RFI).

-----------------------------------------------------------------------

SUMMARY: The Cybersecurity and Infrastructure Security Agency (CISA) 
announces the publication and request for public comment on draft 
guidance entitled, ``2025 Minimum Elements for a Software Bill of 
Materials (SBOM)'' (2025 CISA SBOM Minimum Elements), which updates the 
elements of an SBOM to reflect improvements in SBOM tooling and 
increased maturity of SBOM implementation. CISA requests input on the 
clarifications and enhancements in the proposed voluntary guidance.

DATES: Comments are encouraged and will be accepted until October 3, 
2025. Submissions received after the deadline for receiving comments 
may not be considered.

ADDRESSES: You may submit comments, identified by docket number CISA-
2025-0007, by following the instructions below for submitting comments 
via the Federal eRulemaking Portal at <a href="http://www.regulations.gov">http://www.regulations.gov</a>.
    Instructions: All comments received must include the agency name 
and docket number Docket # CISA-2025-0007. All comments received will 
be posted without change to <a href="http://www.regulations.gov">http://www.regulations.gov</a>, including any 
personal information provided.
    Docket: For access to the docket to read background documents or 
comments received, go to <a href="http://www.regulations.gov">http://www.regulations.gov</a>.
    Commenters may access the 2025 CISA SBOM Minimum Elements on CISA's 
website at: <a href="https://cisa.gov/resources-tools/resources/2025-minimum-elements-software-bill-materials-sbom">https://cisa.gov/resources-tools/resources/2025-minimum-elements-software-bill-materials-sbom</a>.

FOR FURTHER INFORMATION CONTACT: Victoria Ontiveros, 
<a href="/cdn-cgi/l/email-protection#c8bea1abbca7baa1a9e6a7a6bca1beadbaa7bb88a5a9a1a4e6aba1bba9e6aca0bbe6afa7be"><span class="__cf_email__" data-cfemail="03756a60776c716a622d6c6d776a7566716c70436e626a6f2d606a70622d676b702d646c75">[email&#160;protected]</span></a>.

SUPPLEMENTARY INFORMATION:

I. Public Participation

    Interested persons are invited to comment on this notice by 
submitting written data, views, or arguments using the method 
identified in the ADDRESSES section. All members of the public, 
including, but not limited to, specialists in the field, academic 
experts, industry, public interest groups, and those with relevant 
economic expertise, are invited to comment.

II. Background

    An SBOM is a nested inventory, a list of ingredients that make up 
software components. The National Telecommunications and Information 
Administration (NTIA) published ``Minimum Elements for a Software Bill 
of Materials (SBOM)'' on July 12, 2021 (2021 NTIA SBOM Minimum 
Elements), as directed by Executive Order (E.O.) 14028. These minimum 
elements marked an important milestone for the NTIA's SBOM advancement 
efforts and established basic specifications for software producers and 
tool developers. This 2021 document was designed to establish a 
baseline of what the U.S. Government considered an SBOM to minimize 
variation in what was submitted.
    In 2021, software producers and consumers alike were largely 
unfamiliar with SBOM. SBOM implementation practices were only just 
emerging and options for tools to create and manage SBOMs were limited. 
The 2021 NTIA SBOM Minimum Elements reflected the state of practice at 
the time. On September 14, 2022, the Office of Management and Budget 
issued memorandum M-22-18, ``Enhancing the Security of the Software 
Supply Chain through Secure Software Development Practices,'' which 
indicates that CISA would produce successor guidance to the 2021 NTIA 
SBOM Minimum Elements.
    For instance, the SBOM tooling landscape has expanded beyond SBOM 
generation to include, among other capabilities, sharing, analyzing, 
and managing SBOMs. The SBOM community has also grown to include 
stakeholders from an even greater number of industries and sectors. 
Open source software communities have also been active in driving 
forward the development of machine-processable SBOM operations. Experts 
from across the software ecosystem identified new use cases and 
applications for SBOM data. Cybersecurity organizations around the 
world have issued their own guidance on SBOM. As a result of these 
developments, the overall maturity of SBOM implementation has grown 
significantly since 2021.
    The 2025 CISA SBOM Minimum Elements reflect the expanded 
capabilities and functionalities of SBOM tooling, the increased 
maturity of SBOM implementation, and the value of software supply chain 
data. Although statutes, regulations, and binding

[[Page 41095]]

government-wide policies currently do not require that agencies obtain 
SBOMs from their software vendors; stakeholder experience with 
consuming and comparing data highlights the benefits of further clarity 
and more common and more precise specifications. By updating the 2021 
NTIA SBOM Minimum Elements and adding new minimum elements, CISA aims 
to continue to promote SBOMs as a way to provide relevant and available 
data to software users to illuminate their software supply chains, 
better inform their risk management processes, and drive their software 
security decisions.

III. List of Topics for Commenters

    CISA seeks comments on the 2025 CISA SBOM Minimum Elements and the 
following topics:
    (1) Should any elements be removed from the 2025 CISA SBOM Minimum 
Elements, meaning the element should not be required for all SBOMs? 
Which elements, and why?
    (2) Should CISA include any additional elements in the 2025 CISA 
SBOM Minimum Elements, meaning the element should be a requirement for 
all SBOMs? Which elements, and why?
    (3) Are the definitions and defined processes and practices in the 
2025 CISA SBOM Minimum Elements, including new definitions, updated 
definitions, and the definitions carried over from the 2021 NTIA SBOM 
Minimum Elements, sufficiently clear to support automated creation and 
consumption? How can these definitions be improved?
    (4) Are there specific contexts, technologies, or sectors where 
these proposed minimum elements are not feasible? Please provide as 
much detail as possible.
    CISA also welcomes comments on other areas or approaches currently 
absent from the guidance.
    This notice is issued under the authority of 6 U.S.C. 652(c)(10)-
(11) and 6 U.S.C. 659(c)(7).

Christopher Butera,
Acting Executive Assistant Director for Cybersecurity, Cybersecurity 
and Infrastructure Security Agency, Department of Homeland Security.
[FR Doc. 2025-16147 Filed 8-21-25; 8:45 am]
BILLING CODE 9111-LF-P


</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body>
</html>