{"id":2670,"date":"2025-09-05T04:52:11","date_gmt":"2025-09-05T04:52:11","guid":{"rendered":"http:\/\/ft365.org\/index.php\/2025\/09\/05\/us-and-14-allies-release-joint-guidance-on-software-bill-of-materials\/"},"modified":"2025-09-05T04:52:11","modified_gmt":"2025-09-05T04:52:11","slug":"us-and-14-allies-release-joint-guidance-on-software-bill-of-materials","status":"publish","type":"post","link":"http:\/\/ft365.org\/index.php\/2025\/09\/05\/us-and-14-allies-release-joint-guidance-on-software-bill-of-materials\/","title":{"rendered":"US and 14 Allies Release Joint Guidance on Software Bill of Materials"},"content":{"rendered":"
\n
\n

In a landmark collaboration, cybersecurity and intelligence agencies from 15 countries have aligned on a shared vision for Software Bills of Materials (SBOMs), issuing new joint guidance to strengthen global supply chain security.<\/p>\n

The document, titled “A Shared Vision of Software Bill of Materials (SBOM) for Cybersecurity<\/em>,” was published on September 3.<\/p>\n

It was signed by 21 government agencies from 15 countries, including the US Cybersecurity and Infrastructure Security Agency (CISA) and the NSA.<\/p>\n

It outlines key terms and concepts related to SBOMs, including a common definition of what an SBOM is, the value proposition of SBOMs, and how to implement them.<\/p>\n<\/p><\/div>\n

\"Source:
Source: \u201cA Shared Vision of Software Bill of Materials (SBOM) for Cybersecurity\u201d \/ US Cybersecurity and Infrastructure Security Agency (CISA)<\/figcaption><\/figure>\n
\n

It describes the roles of SBOM producers, end-users (referred to as \u201cchoosers\u201d in the document), operators and national cybersecurity organizations.<\/p>\n

Additionally, the guidance encourages widespread SBOM adoption\u00a0across sectors and borders, harmonized technical implementations\u00a0to reduce complexity and cost and integration of SBOMs into security workflows\u00a0for better risk management.<\/p>\n<\/p><\/div>\n

\"Source:
Source: \u201cA Shared Vision of Software Bill of Materials (SBOM) for Cybersecurity\u201d \/ US Cybersecurity and Infrastructure Security Agency (CISA)<\/figcaption><\/figure>\n
\n

\u201cThis milestone reflects a growing international consensus on the importance of software transparency in securing the digital supply chain,\u201d a CISA spokesperson commented.<\/p>\n

Luk\u00e1\u0161 Kintr, director of the Czech National Cyber and Information Security Agency (N\u00daKIB), one of the signatories, emphasized the increasing complexity of software that organizations must face.<\/p>\n

\u201cToday\u2019s software often consists of hundreds of components originating from various sources and libraries. SBOM brings essential transparency into this complex environment and clearly shows what the software is made of. I regard SBOM as a key step toward creating truly secure and resilient software \u2013 already from its design,\u201d he said.<\/p>\n

Nobutaka Takeo, director of the Cybersecurity Division at the Japanese Ministry of Economy, Trade and Industry\u2019s (METI) Commerce and Information Policy Bureau, stated: \u201cWe are pleased to see that the importance of SBOM is being internationally recognized through this guideline. Last year, Japan released SBOM Guidance 2.0, and we will continue to raise awareness of SBOM among relevant stakeholders while actively contributing to international discussions on the topic.”\u00a0<\/p>\n

Working Towards SBOM Harmonization and Legislation<\/strong><\/h2>\n

Allan Friedman, who led CISA\u2019s SBOM efforts between August 2021 and July 2025, welcomed the publication of the joint guidance.<\/p>\n

In a LinkedIn post, he emphasized that it was \u201cthe largest number of organizations that have ever joined CISA in an international document.\u201d<\/p>\n

\u201cThere is nothing here ground-breaking, but it’s great to have such broad input from so many countries,\u201d he added, before suggesting further steps are still needed, including the harmonization of technical implementations.<\/p>\n

\u201cDivergent implementations could hinder widespread adoption and sustainable implementation of SBOM. An aligned and coordinated approach to SBOM will improve effectiveness while reducing costs and complexities,\u201d he said.<\/p>\n<\/p><\/div>\n

<\/figure>\n
\n

Speaking to Infosecurity<\/em>, Josh Bressers, VP of security at Anchore and leader of the OpenSSF SBOM Everywhere working group, described the effort as a \u201cgreat\u201d initiative.<\/p>\n

\n

Nevertheless, he corroborated Friedman\u2019s view, stating that this high-level agreement is only \u201cthe logical first step to see a global adoption of software transparency through SBOMs.\u201d<\/p>\n

Bressers\u2019 wish for the next step is to see common legislation and guidance on software supply chain security between the signatory countries.<\/p>\n

\u201cMost producers operate on a global stage now, [regulations] like the EU\u2019s Cyber Resilience Act (CRA) are going to affect a huge number of companies. No doubt other countries will create similar guidance. If we don’t have a common vision, it’s going to be very difficult to meet all the requirements,\u201d he concluded.<\/p>\n<\/div>\n

Alongside CISA, the NSA, N\u00daKIB and METI, signatory organizations included:<\/p>\n