The Cybersecurity and Infrastructure Security Agency (CISA) is requesting public comment on its 2025 Minimum Elements for a Software Bill of Materials (SBOM) draft update, which aims to reflect the current maturity in software transparency and supply chain security. This update builds upon the 2021 NTIA SBOM Minimum Elements to help agencies and organizations more effectively manage software risk.
The draft document, published in 22nd August 2025, is intended to guide SBOM implementation for U.S. federal departments and agencies, but is also applicable to other organizations especially medical device manufacturers. It emphasizes that SBOMs provide a detailed inventory of software components, enabling organizations to identify vulnerabilities, assess risk, and make informed decisions. Automation remains a critical aspect for driving security at scale.
Summary of the 2025 Draft Update: The 2025 CISA SBOM Minimum Elements document introduces several additions and updates to the baseline data fields, practices, and processes for SBOMs. The minimum elements outlined apply to all software acquired or developed by agencies, including open-source, artificial intelligence (AI) software, and software-as-a-service (SaaS). It refines how the Federal Government should generate and request SBOMs, without creating new federal requirements.
Why Medical Device Manufacturers should care? US FDA has specifically used 2021 NTIA SBOM Minimum Elements recommendation as input in their cybersecurity premarket guidance document on how manufacturers should generate SBOMs for submission package and later sharing with customers. The final release on this is likely going to be adopted by FDA as the expected format by which submissions should include SBOM. More details on expected documentation for FDA submission can be found here.
Key updates and additions include:
- New Data Fields:
- Component Hash: The cryptographic value generated from the software component.
- License: Information on the license(s) under which the software component is available.
- Tool Name: Identifies the software tool(s) used by the SBOM Author to generate the SBOM.
- Generation Context: Offers insight into the software lifecycle phase (before, during, or after build) when the SBOM was generated.
- Major Updates to Existing Data Fields and Elements:
- SBOM Author: Clarified as the entity creating the SBOM data, distinct from the Software Producer.
- Software Producer: Replaces “Supplier Name” to identify the originator or manufacturer of the software component, allowing for multiple entries.
- Component Version: Allows for the substitution of the file creation date if no version is provided by the producer.
- Software Identifiers: Requires at least one identifier, preferring machine-processable and unique identifiers like CPE and PURL, and explicitly mentioning OmniBOR and SWHID.
- Dependency Relationship: Now requires explicitly documenting pedigree for backported or forked software.
- Coverage: Replaces “Depth” and now defines coverage as including horizontal breadth (in addition to vertical breadth) of software component information, meaning all components and their transitive dependencies, with no minimum depth.
- Known Unknowns: Clarifies the distinction between information that is unknown to the author and information that is purposefully redacted due to contractual obligations.
- Accommodation of Updates to SBOM Data: Replaces “Accommodation of Mistakes,” focusing on accommodating updates rather than corrections, reflecting improved SBOM data quality since 2021.
- Removed Element: The “Access Controls” element is removed as a standalone requirement, with access control considerations now incorporated into the “Distribution and Delivery” element.
- Automation Support: Removed SWID from the list of widely used data formats, while retaining SPDX and CycloneDX.
- Timestamp: Clarifies that entries should adhere to ISO 8601 for better automation and interoperability.
Comparison to Previous CISA Publications on SBOM:
- 2021 NTIA SBOM Minimum Elements: The 2025 CISA draft explicitly updates and clarifies the 2021 NTIA document. Many of the changes mentioned above are direct revisions to the 2021 elements:
- The Supplier Name element from 2021 is replaced by Software Producer, which is considered less ambiguous and better aligns with the entity that originated the software.
- The 2025 draft introduces Component Hash, License, Tool Name, and Generation Context as entirely new minimum elements, recognizing their importance for risk-informed decisions and improved data quality.
- The shift from “Depth” to “Coverage” for dependencies signifies a more mature understanding, moving beyond just top-level dependencies to a comprehensive horizontal and vertical breadth.
- The clarification of “Known Unknowns” addresses ambiguities raised by stakeholders since 2021, distinguishing between truly unknown data and purposefully redacted information.
- The removal of “Access Controls” as a separate element reflects the evolution of SBOM sharing practices, integrating access considerations into distribution and delivery.
- The change from “Accommodation of Mistakes” to “Accommodation of Updates to SBOM Data” indicates an expectation of higher data accuracy and a focus on keeping information current rather than correcting frequent errors.
- Framing Software Component Transparency (Third Edition, 2024): The “Framing Software Component Transparency” document is a community-driven workstream output, adopted by CISA, that further defines and clarifies SBOM attributes from previous editions. While it is distinct from the official “Minimum Elements” documents, it reflects the maturing understanding and best practices that often inform the official minimum requirements.
- Many of the “new” minimum elements in the 2025 CISA draft were already discussed as Baseline Attributesor Recommended Practices within the 2024 Framing document. For example:
- The 2024 Framing document lists Cryptographic Hash as a Baseline Attribute with minimum expected maturity levels.
- License and Copyright Notice were added as Baseline Attributes in the 2024 Framing document’s updates.
- The 2024 Framing document recommends identifying tool(s) and version(s) as a “Recommended Practice” under the Author Name attribute.
- The 2024 Framing document already specifies that the Timestamp should use ISO 8601 format.
- The concept of different SBOM Types (similar to “Generation Context”) created at various points of the lifecycle (design, source, build, deployed) is discussed in the 2024 Framing document.
- The 2024 Framing document provides maturity levels (Minimum Expected, Recommended Practice, Aspirational Goal) for many attributes, indicating an evolutionary path for SBOM content. The 2025 CISA Minimum Elements draft effectively raises the “Minimum Expected” baseline for official government requirements, formalizing many aspects previously considered recommended or aspirational in the community-driven framing document.
- The 2024 Framing document acknowledges the role of NTIA’s 2021 Minimum Elements and CISA’s authority to update it, indicating a cohesive, albeit distinct, evolution of SBOM guidance. It also refers to the NTIA’s “Roles and Benefits for SBOM Across the Supply Chain” for perspectives like “Chooser” and “Operator,” which are also cited in the 2025 CISA document.
- Many of the “new” minimum elements in the 2025 CISA draft were already discussed as Baseline Attributesor Recommended Practices within the 2024 Framing document. For example:
In essence, the 2025 CISA draft represents a significant formalization and elevation of SBOM requirements, drawing on the practical experiences and community-driven advancements documented in publications like the 2024 “Framing Software Component Transparency” to update the foundational 2021 NTIA Minimum Elements.
Reference: https://www.cisa.gov/resources-tools/resources/2025-minimum-elements-software-bill-materials-sbom