US Cyber Defense Agency Pushes for Automation and Machine-Readable Data in SBOMs
The U.S. cyber defense agency is once again trying to make software bills of material happen – this time with a new framework that doubles down on machine-readable transparency and expands what SBOMs should actually include for real-world application.
See Also: Post-Quantum Cryptography – A Fundamental Pillar in the Future of Cybersecurity [ES]
The Cybersecurity and Infrastructure Security Agency published a draft update on Friday to its “Minimum Elements for a SBOM,” seeking public input on tooling and adoption practices that could help software ingredient lists evolve from abstract ideals to practical tools for vulnerability management, supply chain transparency and operational security. The draft emphasizes real-world applications, adding four new data fields – component hash, license, tool name and generation context – while updating core elements like software producer, component version and dependency relationship to better reflect how SBOMs are actually generated, shared and used in the field.
The goal of the updated minimum elements guidance is “to foster a common expectation about the basics of an SBOM” and raise the threshold of expected data quality, said Allan Friedman, who until recently, led CISA’s SBOM efforts and now advises organizations on supply chain security. Friedman told Information Security Media Group that SBOM data is helping companies confirm their suppliers understand their own software and aiding security teams in tracking risk – but few tools today can manage SBOMs and other metadata across an organization, even as customers use SBOMs as a litmus test for product security maturity.
“SBOM has always had a chicken-and-egg problem,” Friedman said. While SBOM generation technology has matured, the industry is still catching up with tools to turn that data into actionable intelligence, he said. The new guidance “should support greater harmonization across implementations,” helping drive broader integration of SBOM data into automated security workflows.
Analysts said SBOMs are most effective when paired with certificate lifecycle management, code signing and other layers of digital trust.
But flaws remain in part because, while SBOMs offer visibility, the content is still controlled by the software creator. Vendors can strip out certain dependencies before signing and distributing a “sanitized” SBOM, leaving consumers uncertain whether they’re seeing a full disclosure of what’s in the code.
Experts said the draft leaves key gaps and cautioned that SBOMs alone can’t provide a full picture of security risk without supporting processes to cross-reference them with vulnerability databases. Analysts noted that while hashes improve authenticity, SBOMs still need better standardization, tighter integration with vulnerability tools and automation to scale – especially if they’re to become a reliable part of real-time cybersecurity operations.
The public can provide feedback on the draft guidance until Oct. 3 through the Federal Register. CISA Acting Executive Assistant Director for Cybersecurity Chris Butera said in a press release the guidance “will empower federal agencies and other organizations to make risk-informed decisions, strengthen their cybersecurity posture and support scalable, machine-readable solutions.”