In August 2025, the Cybersecurity and Infrastructure Security Agency (CISA) released a public comment draft of its updated Minimum Elements for a Software Bill of Materials (SBOM). This marks a significant step forward from the 2021 NTIA baseline and reflects the growing maturity of SBOM practices, broader adoption across industries, and the urgent need for scalable software supply chain transparency.
What’s New in the Draft
The updated guidance introduces four new data fields designed to strengthen traceability and visibility throughout the software lifecycle:
- Component Hash – provides a unique fingerprint for components
- License – clarifies usage rights and obligations
- Tool Name – identifies the tooling used to generate the SBOM
- Generation Context – offers transparency into how and when the SBOM was created
In addition, several existing elements were expanded, including:
- SBOM Author
- Software Producer
- Component Version
- Software Identifiers
- Dependency Relationship
- Coverage
- Known Unknowns
- Accommodation of Updates
One notable change is the removal of the Access Controls field, with those considerations now folded into Distribution and Delivery.
New and Updated Data Fields
| Data Field | Description |
|---|---|
| SBOM Author | Entity that creates the SBOM data |
| Software Producer | Entity that defines and identifies components |
| Component Name | Human-readable name assigned by the producer |
| Component Version | Version identifier or creation date |
| Software Identifiers | Unique identifiers (e.g. CPE, purl, UUID, OmniBOR) |
| Component Hash | Cryptographic hash of the component |
| License | License(s) under which the component is made available |
| Dependency Relationship | Inclusion or derivation relationship between components |
| Tool Name | Tool(s) used to generate or enrich the SBOM |
| Timestamp | ISO 8601 timestamp of the last SBOM pdate |
| Generation Context | Lifecycle phase during which the SBOM was generated (pre-build, build, post-build) |
Emphasis on Automation and Interoperability
CISA’s draft underscores the importance of automation and machine readability. It explicitly endorses SPDX and CycloneDX as preferred formats while discouraging deprecated standards such as SWID.
The document also highlights three key practices for strengthening SBOM utility:
- Update with every release
- Include transitive dependencies
- Declare Known Unknowns to reduce ambiguity and improve downstream risk management
Stay Ahead of SBOM Requirements
As SBOM requirements continue to evolve, organizations need solutions that simplify compliance, improve visibility, and scale with complex software ecosystems. Revenera SBOM Management helps you manage, import, and analyze SBOMs to ensure your software supply chain remains transparent and secure.
