CISA has published a public comment draft of updated SBOM Minimum Elements. This draft is intended as successor guidance to the NTIA Minimum Elements first issued on July 12, 2021. Comments are open until October 3, 2025 (Federal Register notice).
What changed at a glance
New required data fields
- Component hash
- License
- Tool name used to generate the SBOM
- Generation context: pre-build, build-time, or post-build
Renamed or clarified fields
- Supplier Name → Software Producer
- Author of SBOM Data → SBOM Author
- Other Unique Identifiers → Software Identifiers (at least one required; examples include CPE, purl, OmniBOR, SWHID)
- Version of the Component → Component Version (file creation date allowed if no version)
- Depth → Coverage (requires comprehensive listing, including transitive dependencies and duplicates when metadata differs)
- Accommodation of Mistakes → Accommodation of Updates to SBOM Data
- Frequency and Distribution and Delivery clarified
- Timestamp must follow ISO 8601
- SWID removed from Automation Support examples
Removed
- Access Control as a standalone element (folded into Distribution and Delivery expectations for controlled sharing).
Practical implications
- SBOMs now must include hashes, licenses, and tool provenance. This strengthens validation, license compliance, and reproducibility.
- Coverage is stricter. Transitive dependencies and duplicate instances are explicitly in scope.
- Known Unknowns must be flagged, with a distinction between unknown and intentionally redacted components, improving clarity during audits and incident response.
How this relates to the 2021 NTIA Minimum Elements
The NTIA document established the original baseline in 2021. CISA was tasked by OMB M-22-18 to produce successor guidance that reflects today’s SBOM maturity. This draft builds on and updates that baseline for federal use once finalized.
Comment window
CISA is accepting public comments until October 3, 2025. You can review the draft PDF and submit feedback through the Federal Register notice.
Found an error or typo? File PR against this file.