{"id":2489,"date":"2025-08-26T05:54:07","date_gmt":"2025-08-26T05:54:07","guid":{"rendered":"https:\/\/ft365.org\/index.php\/2025\/08\/26\/cisa-seeks-biden-eras-sbom-minimum-requirements-guideline-change\/"},"modified":"2025-08-26T05:54:07","modified_gmt":"2025-08-26T05:54:07","slug":"cisa-seeks-biden-eras-sbom-minimum-requirements-guideline-change","status":"publish","type":"post","link":"http:\/\/ft365.org\/index.php\/2025\/08\/26\/cisa-seeks-biden-eras-sbom-minimum-requirements-guideline-change\/","title":{"rendered":"CISA Seeks Biden Era’s SBOM Minimum Requirements Guideline Change"},"content":{"rendered":"
\n
\n

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a request for comment on an updated version of a government guideline listing the minimum elements required for a software bill of materials (SBOM).<\/p>\n

An SBOM is a machine-readable document that lists all software packages an organization \u2013 or a unique business unit \u2013 uses and their dependencies, i.e., other elements the listed software is built on, including open source bricks.<\/p>\n

In 2021, the US National Telecommunications and Information Administration (NTIA) published a document, 2021 NTIA SBOM Minimum Elements<\/em>, to help federal agencies and US companies build their own SBOM. This document was directed by President Biden\u2019s May 2021 Executive Order on Improving the Nation’s Cybersecurity (EO 14028).<\/p>\n

In September 2022, the White House published a new Executive Order requiring software vendors supplying the\u00a0US government to provide an SBOM.<\/p>\n

The objective was to ensure that all companies in the supply chain providing the US government with software and services are sufficiently protected against cyber-attacks.<\/p>\n

At the time, the decision sparked controversy, with a coalition of cybersecurity industry associations publishing an open letter urging the US Congress to delay SBOM requirements for defense contractors, arguing that the ecosystem was not mature enough.<\/p>\n

In September 2022, the Office of Management and Budget issued memorandum M-22-18, \u201cEnhancing the Security of the Software Supply Chain through Secure Software Development Practices,\u201d which indicated that CISA would produce successor guidance to the 2021 NTIA SBOM Minimum Elements<\/em>.<\/p>\n

SBOM Landscape Changes from 2021 to 2025<\/strong><\/h2>\n

Recent activity appears to suggest a change of strategy regarding the promotion of SBOMs under the Trump Administration.<\/p>\n

First, Allan Friedman, one of the most active SBOM advocates who had been leading CISA\u2019s SBOM efforts since August 2021, left the agency at the end of July 2025.<\/p>\n

In early August, the Open Source Security Foundation (OpenSSF) announced that CISA\u2019s SBOM Working Group was also shutting down and that the foundation would \u201cpick up the torch\u201d and launch its successor.<\/p>\n

However, to date, CISA has not publicly confirmed the closure of CISA\u2019s SBOM Working Group.<\/p>\n

CISA has also announced it intends to launch an updated version of the 2021 NTIA SBOM Minimum Elements<\/em> to \u201creflect improvements in SBOM tooling and increased maturity of SBOM implementation.\u201d<\/p>\n

\u201cFor instance, the SBOM tooling landscape has expanded beyond SBOM generation to include, among other capabilities, sharing, analyzing and managing SBOMs,\u201d CISA explained.<\/p>\n

The SBOM community has significantly grown since 2021, with new actors and a stronger participation of the open source community in developing and improving SBOM generation and adoption.<\/p>\n

CISA is now seeking public participation to help the agency develop a new guideline, stating that all members of the public, including, but not limited to, specialists in the field, academic experts, industry, public interest groups and those with relevant economic expertise, are invited to comment.<\/p>\n

Interested parties have until October 3, 2025, to contribute.<\/p>\n<\/p><\/div>\n

<\/figure>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a request for comment on an updated version of a government guideline listing the minimum elements required for a software bill of materials (SBOM). An SBOM is a machine-readable document that lists all software packages an organization \u2013 or a unique business unit \u2013 uses<\/p>\n","protected":false},"author":2,"featured_media":2490,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-2489","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2489-18264bc3-7f1e-44b4-90a5-bcfb2b8120fe.jpg",300,300,false],"thumbnail":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2489-18264bc3-7f1e-44b4-90a5-bcfb2b8120fe-150x150.jpg",150,150,true],"medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2489-18264bc3-7f1e-44b4-90a5-bcfb2b8120fe.jpg",300,300,false],"medium_large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2489-18264bc3-7f1e-44b4-90a5-bcfb2b8120fe.jpg",300,300,false],"large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2489-18264bc3-7f1e-44b4-90a5-bcfb2b8120fe.jpg",300,300,false],"1536x1536":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2489-18264bc3-7f1e-44b4-90a5-bcfb2b8120fe.jpg",300,300,false],"2048x2048":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2489-18264bc3-7f1e-44b4-90a5-bcfb2b8120fe.jpg",300,300,false],"morenews-featured":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2489-18264bc3-7f1e-44b4-90a5-bcfb2b8120fe.jpg",300,300,false],"morenews-large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2489-18264bc3-7f1e-44b4-90a5-bcfb2b8120fe.jpg",300,300,false],"morenews-medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2489-18264bc3-7f1e-44b4-90a5-bcfb2b8120fe.jpg",300,300,false],"crawlomatic_preview_image":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2489-18264bc3-7f1e-44b4-90a5-bcfb2b8120fe-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"http:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/2489","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=2489"}],"version-history":[{"count":0,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/2489\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/2490"}],"wp:attachment":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=2489"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=2489"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=2489"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}