Revenera logo
Image: CISA’s Updated SBOM Guidelines: What’s New?

In August 2025, the Cybersecurity and Infrastructure Security Agency (CISA) released a public comment draft of its updated Minimum Elements for a Software Bill of Materials (SBOM). This marks a significant step forward from the 2021 NTIA baseline and reflects the growing maturity of SBOM practices, broader adoption across industries, and the urgent need for scalable software supply chain transparency.

What’s New in the Draft

The updated guidance introduces four new data fields designed to strengthen traceability and visibility throughout the software lifecycle:

  • Component Hash – provides a unique fingerprint for components
  • License – clarifies usage rights and obligations
  • Tool Name – identifies the tooling used to generate the SBOM
  • Generation Context – offers transparency into how and when the SBOM was created

In addition, several existing elements were expanded, including:

  • SBOM Author
  • Software Producer
  • Component Version
  • Software Identifiers
  • Dependency Relationship
  • Coverage
  • Known Unknowns
  • Accommodation of Updates

One notable change is the removal of the Access Controls field, with those considerations now folded into Distribution and Delivery.

New and Updated Data Fields

Data Field Description
SBOM Author Entity that creates the SBOM data
Software Producer Entity that defines and identifies components
Component Name Human-readable name assigned by the producer
Component Version Version identifier or creation date
Software Identifiers Unique identifiers (e.g. CPE, purl, UUID, OmniBOR)
Component Hash Cryptographic hash of the component
License License(s) under which the component is made available
Dependency Relationship Inclusion or derivation relationship between components
Tool Name Tool(s) used to generate or enrich the SBOM
Timestamp ISO 8601 timestamp of the last SBOM pdate
Generation Context Lifecycle phase during which the SBOM was generated (pre-build, build, post-build)

Emphasis on Automation and Interoperability

CISA’s draft underscores the importance of automation and machine readability. It explicitly endorses SPDX and CycloneDX as preferred formats while discouraging deprecated standards such as SWID.

The document also highlights three key practices for strengthening SBOM utility:

  • Update with every release
  • Include transitive dependencies
  • Declare Known Unknowns to reduce ambiguity and improve downstream risk management

Stay Ahead of SBOM Requirements

As SBOM requirements continue to evolve, organizations need solutions that simplify compliance, improve visibility, and scale with complex software ecosystems. Revenera SBOM Management helps you manage, import, and analyze SBOMs to ensure your software supply chain remains transparent and secure.