The Cybersecurity and Infrastructure Security Agency has released long-awaited updated guidance on the Minimum Elements for a Software Bill of Materials, and is accepting public comments through Oct. 3.
The new draft guidance aims to make SBOMs more comprehensive and effective, better informing users about their software's security and improving the management of vulnerabilities and risks. With CISA requiring cryptographic hashes for software, among other element additions and changes, SBOMs could become helpful operational tools.
WHY IT MATTERS
Sometimes called a "nutrition label for software," SBOMs tell software users about components and dependencies and can help identify vulnerabilities, streamline patching and support compliance. The detailed inventories of software components have been a challenge to integrate into scalable cybersecurity practices.
"SBOM implementations must be compatible with each other to support automation due to the volume of data, diverse use cases and variety of tools," said CISA officials in the new guidance.
In a statement this week, the agency said it's seeking to create a more comprehensive and effective tool for managing software vulnerabilities and risks. A key to managing SBOMs effectively is the ability of an organization to consume them through automation.
"Building on the 2021 NTIA SBOM Minimum Elements, this update aims to help agencies and organizations to manage software risk more effectively," said CISA officials.
Dave Roche, director of software trust at DigiCert and a contributor on SBOM guidance and public key infrastructure, said CISA's update also addresses one of the biggest policy gaps that limit the efficacy of SBOMs.
"Up until now, SBOMs could be generated and shared, but there was no definitive way to ensure they hadn’t been altered or tampered with once they left the creator organization," he told Healthcare IT News by email on Tuesday.
"SBOM implementation practices have advanced significantly since the 2021 document was published," CISA noted in the guidance. "SBOM tooling, in response to the increased adoption and implementation of SBOM, has matured far beyond the capabilities and functionalities of tools available in 2021."
The new guidance introduces Component Hash, License, Tool Name and Generation Context to better inform users about software security. It also clarifies the data needed for SBOM Author, Software Producer, Component Version, Software Identifiers, Coverage and Accommodation of Updates to SBOM Data. The draft also updates other elements to improve information quality, CISA said.
Roche noted that he's previously raised concerns about SBOMs creating a misleading picture of software integrity.
But, "the addition of cryptographic hashes for components changes that," he said. With a component hash requirement, "SBOMs can now unambiguously identify each element and make them verifiable against the original creator’s record," he said.
Organizations requesting SBOMs can now "demand more information about their software components and supply chain," CISA said in the guidance.
Roche called the requirement an advancement because trust was previously missing. However, "agencies still need better vulnerability integration and automation to make SBOMs truly operational," he said.
CISA noted that while the updated guidance on minimum elements required in SBOMs applies to all software, additions to the updated list may be beneficial for certain software.
"Discussions across the software ecosystem have begun to explore possible additional elements for some types of software, namely software-as-a-service in cloud environments and artificial intelligence software systems."
THE LARGER TREND
Former President Joe Biden’s Executive Order on Improving the Nation’s Cybersecurity, which first required SBOMs for software sold to the U.S. federal government in 2021, sought to improve security protection for critical information systems and sensitive data.
Fast forward to June of this year, and the 2025 Medical Device Cybersecurity Index found that 22% of more than 600 healthcare IT decision-makers who play a role in purchasing had experienced cyberattacks targeting their organizations' medical devices.
The poll revealed a troubling pattern about the underlying security of equipment patients rely upon. More cyberattacks aimed at disrupting healthcare delivery are targeting medical device vulnerabilities, according to the report.
"Transparency through [SBOMs] is also emerging as a critical requirement," researchers said, with 78% of respondents citing them as "essential" or "important" in procurement decisions.
ON THE RECORD
"SBOMs are a critical step toward achieving software component transparency, illuminating the software supply chain and better positioning organizations to make risk-informed decisions regarding their software," CISA said in the draft guidance. "SBOM will not resolve all software security and supply chain concerns, but it is a necessary step that enables and empowers risk-informed security decision making."
"The 2025 draft does take a big step in the right direction by addressing one of the most important gaps that limited SBOMs from being truly actionable: provenance and integrity," Roche said by email.
Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.
