Background

On August 22, 2025, the Cybersecurity & Infrastructure Security Agency (CISA) released a draft 2025 guide for Software Bill of Materials (SBOM). The draft, 2025 Minimum Elements for a Software Bill of Materials, is meant to update the 2021 SBOM guide, The Minimum Elements For a Software Bill of Materials, published by the National Telecommunications and Information Administration (NTIA). A 2022 directive, Enhancing the Security of the Software Supply Chain through Secure Software Development Practices, from the Office of Management and Budget (OMB), requires agencies to use SBOMs aligned with CISA guidance. 

How SBOMs are changing  

SBOMs are rapidly evolving from a conceptual framework to a cornerstone of modern cybersecurity practice. Over the past five years, U.S. federal policy and industry collaboration have advanced SBOMs from a pilot concept into a functional requirement for software supply chain transparency.

The 2024 CISA report, “Framing Software Component Transparency,” established a baseline for defining SBOM and how they can be generated, as well as their applications across use cases ranging from vulnerability management to license compliance. 

The subsequent draft, 2025 CISA Minimum Elements for an SBOM:

• Refines the mandatory core of SBOM practice
• Adds new required data elements: Component Hash, License, Tool Name, Generation Context
• Clarifies roles: SBOM Author vs. Software Producer
• Emphasizes automation and interoperability
• Recognizes emerging frontiers: 
  • SBOM adaptation for cloud/Software-as-a-Service (SaaS) and Artificial Intelligence (AI) systems
  • The need for validation mechanisms
  • Integration with vulnerability intelligence such as Vulnerability Exploitability Exchange (VEX) and Common Security Advisory Framework (CSAF)

Together, these documents provide a framing guide for understanding SBOM’s role in the broader ecosystem, and a compliance-ready checklist of minimum requirements for federal and commercial adoption. 

They highlight the operational and policy rules which make SBOMs indispensable for software risk management in today’s threat environment for Information Systems Security Officers (ISSOs), information security professionals, and Information and Communications Technology (ICT) acquisition personnel. 

Why SBOMs matter

Software supply chains are complex, interdependent, and hard to understand. As recent breaches and exploits have demonstrated, lack of transparency creates systemic risk. An SBOM provides a nested inventory–a machine-readable “ingredients list” of all software components and dependencies. This transparency allows organizations to:

• Map vulnerabilities directly to affected components
• Ensure license and intellectual property compliance
• Trace software provenance and pedigree, including forks and backports
• Make risk-informed acquisition and deployment decisions

From reactive to proactive risk management

Ultimately, SBOMs transform the way organizations view software: not as a monolithic product, but as an assembly of interdependent parts whose integrity and trustworthiness must be verified at every stage of the lifecycle. By shifting the focus from reactive patching to proactive transparency, SBOMs enable organizations to anticipate risks, shorten response times to new vulnerabilities, and strengthen procurement decisions.

SBOMs are not simply technical inventories, they are decision-support tools. They provide a shared language across producers, operators, and regulators, reducing ambiguity and creating accountability in software delivery chains. As regulatory requirements tighten and adversarial threats increase, the ability to see and understand the software you depend on is no longer optional. It is a minimal condition of responsible governance, risk management, and cybersecurity resilience.

How guidance has evolved

1. 2021 NTIA Minimum Elements: First federal baseline, introduced core concepts.
2. Enhancing the Security of the Software Supply Chain to Deliver a Secure Government Experience: Links software procurement to NIST’s secure development practices, positioning SBOMs as a key tool to demonstrate supply chain transparency.
3. 2024 Framing document: Broadened focus, clarified maturity models, and emphasized incremental adoption and tooling integration.
4. 2025 Minimum Elements Draft: Reflects real-world lessons, codifies new requirements, and prepares agencies for advanced use cases such as SaaS and AI.

Key takeaway

U.S. federal guidance on SBOMs has progressed from establishing baseline requirements to mandating secure software development and procurement practices. CISA’s 2024 framing document refined the language and expectations around SBOM attributes, while the 2025 draft updates the minimum elements to reflect matured tools and practices, adding richer metadata for proactive risk management. Collectively, these efforts position SBOMs as essential instruments for improving software supply chain transparency, interoperability, and security across government and industry.

About the author: Michael “Hobie” Hobert supports Supply Chain Risk Management (SCRM) within the Division of Strategic Information (DSI) at the Centers for Medicare & Medicaid Services (CMS), applying his broad experience in healthcare, technology, and banking to expand security awareness at CMS.