The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a request for comment on an updated version of a government guideline listing the minimum elements required for a software bill of materials (SBOM).
An SBOM is a machine-readable document that lists all software packages an organization – or a unique business unit – uses and their dependencies, i.e., other elements the listed software is built on, including open source bricks.
In 2021, the US National Telecommunications and Information Administration (NTIA) published a document, 2021 NTIA SBOM Minimum Elements, to help federal agencies and US companies build their own SBOM. This document was directed by President Biden’s May 2021 Executive Order on Improving the Nation’s Cybersecurity (EO 14028).
In September 2022, the White House published a new Executive Order requiring software vendors supplying theUS government to provide an SBOM.
The objective was to ensure that all companies in the supply chain providing the US government with software and services are sufficiently protected against cyber-attacks.
At the time, the decision sparked controversy, with a coalition of cybersecurity industry associations publishing an open letter urging the US Congress to delay SBOM requirements for defense contractors, arguing that the ecosystem was not mature enough.
In September 2022, the Office of Management and Budget issued memorandum M-22-18, “Enhancing the Security of the Software Supply Chain through Secure Software Development Practices,” which indicated that CISA would produce successor guidance to the 2021 NTIA SBOM Minimum Elements.
SBOM Landscape Changes from 2021 to 2025
Recent activity appears to suggest a change of strategy regarding the promotion of SBOMs under the Trump Administration.
First, Allan Friedman, one of the most active SBOM advocates who had been leading CISA’s SBOM efforts since August 2021, left the agency at the end of July 2025.
In early August, the Open Source Security Foundation (OpenSSF) announced that CISA’s SBOM Working Group was also shutting down and that the foundation would “pick up the torch” and launch its successor.
However, to date, CISA has not publicly confirmed the closure of CISA’s SBOM Working Group.
CISA has also announced it intends to launch an updated version of the 2021 NTIA SBOM Minimum Elements to “reflect improvements in SBOM tooling and increased maturity of SBOM implementation.”
“For instance, the SBOM tooling landscape has expanded beyond SBOM generation to include, among other capabilities, sharing, analyzing and managing SBOMs,” CISA explained.
The SBOM community has significantly grown since 2021, with new actors and a stronger participation of the open source community in developing and improving SBOM generation and adoption.
CISA is now seeking public participation to help the agency develop a new guideline, stating that all members of the public, including, but not limited to, specialists in the field, academic experts, industry, public interest groups and those with relevant economic expertise, are invited to comment.
Interested parties have until October 3, 2025, to contribute.