# Request for Comment on 2025 Minimum Elements for a Software Bill of Materials
**AGENCY:**
Cybersecurity and Infrastructure Security Agency (CISA), Department of Homeland Security (DHS).
**ACTION:**
Request for Information (RFI).
**SUMMARY:**
The Cybersecurity and Infrastructure Security Agency (CISA) announces the publication and request for public comment on draft guidance entitled, “2025 Minimum Elements for a Software Bill of Materials (SBOM)” (2025 CISA SBOM Minimum Elements), which updates the elements of an SBOM to reflect improvements in SBOM tooling and increased maturity of SBOM implementation. CISA requests input on the clarifications and enhancements in the proposed voluntary guidance.
**DATES:**
Comments are encouraged and will be accepted until October 3, 2025. Submissions received after the deadline for receiving comments may not be considered.
**ADDRESSES:**
You may submit comments, identified by docket number CISA-2025-0007, by following the instructions below for submitting comments via the Federal eRulemaking Portal at *http://www.regulations.gov* .
*Instructions:* All comments received must include the agency name and docket number Docket # CISA-2025-0007. All comments received will be posted without change to *http://www.regulations.gov,* including any personal information provided.
*Docket:* For access to the docket to read background documents or comments received, go to *http://www.regulations.gov* .
Commenters may access the 2025 CISA SBOM Minimum Elements on CISA's website at: *https://cisa.gov/resources-tools/resources/2025-minimum-elements-software-bill-materials-sbom* .
**FOR FURTHER INFORMATION CONTACT:**
Victoria Ontiveros, *[email protected]* .
**SUPPLEMENTARY INFORMATION:**
**I. Public Participation**
Interested persons are invited to comment on this notice by submitting written data, views, or arguments using the method identified in the *ADDRESSES* section. All members of the public, including, but not limited to, specialists in the field, academic experts, industry, public interest groups, and those with relevant economic expertise, are invited to comment.
**II. Background**
An SBOM is a nested inventory, a list of ingredients that make up software components. The National Telecommunications and Information Administration (NTIA) published “Minimum Elements for a Software Bill of Materials (SBOM)” on July 12, 2021 (2021 NTIA SBOM Minimum Elements), as directed by Executive Order (E.O.) 14028. These minimum elements marked an important milestone for the NTIA's SBOM advancement efforts and established basic specifications for software producers and tool developers. This 2021 document was designed to establish a baseline of what the U.S. Government considered an SBOM to minimize variation in what was submitted.
In 2021, software producers and consumers alike were largely unfamiliar with SBOM. SBOM implementation practices were only just emerging and options for tools to create and manage SBOMs were limited. The 2021 NTIA SBOM Minimum Elements reflected the state of practice at the time. On September 14, 2022, the Office of Management and Budget issued memorandum M-22-18, “Enhancing the Security of the Software Supply Chain through Secure Software Development Practices,” which indicates that CISA would produce successor guidance to the 2021 NTIA SBOM Minimum Elements.
For instance, the SBOM tooling landscape has expanded beyond SBOM generation to include, among other capabilities, sharing, analyzing, and managing SBOMs. The SBOM community has also grown to include stakeholders from an even greater number of industries and sectors. Open source software communities have also been active in driving forward the development of machine-processable SBOM operations. Experts from across the software ecosystem identified new use cases and applications for SBOM data. Cybersecurity organizations around the world have issued their own guidance on SBOM. As a result of these developments, the overall maturity of SBOM implementation has grown significantly since 2021.
The 2025 CISA SBOM Minimum Elements reflect the expanded capabilities and functionalities of SBOM tooling, the increased maturity of SBOM implementation, and the value of software supply chain data. Although statutes, regulations, and binding government-wide policies currently do not require that agencies obtain SBOMs from their software vendors; stakeholder experience with consuming and comparing data highlights the benefits of further clarity and more common and more precise specifications. By updating the 2021 NTIA SBOM Minimum Elements and adding new minimum elements, CISA aims to continue to promote SBOMs as a way to provide relevant and available data to software users to illuminate their software supply chains, better inform their risk management processes, and drive their software security decisions.
**III. List of Topics for Commenters**
CISA seeks comments on the 2025 CISA SBOM Minimum Elements and the following topics:
(1) Should any elements be removed from the 2025 CISA SBOM Minimum Elements, meaning the element should not be required for all SBOMs? Which elements, and why?
(2) Should CISA include any additional elements in the 2025 CISA SBOM Minimum Elements, meaning the element should be a requirement for all SBOMs? Which elements, and why?
(3) Are the definitions and defined processes and practices in the 2025 CISA SBOM Minimum Elements, including new definitions, updated definitions, and the definitions carried over from the 2021 NTIA SBOM Minimum Elements, sufficiently clear to support automated creation and consumption? How can these definitions be improved?
(4) Are there specific contexts, technologies, or sectors where these proposed minimum elements are not feasible? Please provide as much detail as possible.
CISA also welcomes comments on other areas or approaches currently absent from the guidance.
This notice is issued under the authority of 6 U.S.C. 652(c)(10)-(11) and 6 U.S.C. 659(c)(7).
Christopher Butera,
Acting Executive Assistant Director for Cybersecurity, Cybersecurity and Infrastructure Security Agency, Department of Homeland Security.