CISA SBOM Guidance Overhaul Seeks Industry Feedback

Image credit: Photo by Harland Quarrington / OGL v1.0

Security teams, heads up: CISA has just released new SBOM guidance, and they’re seeking public feedback—comments are due by October 3rd. This isn’t merely a tweak to the 2021 iteration. Instead, it’s a broad overhaul changing our perceptions of software inventories as tools get better and more organizations adopt SBOMs.

Big shifts are hitting where they count the most. Licensing info for each piece now needs inclusion, along with the name of whatever tool churned out your SBOM, and crypto hashes everywhere. Moreover, they’re really hammering home on automation, aiming for SBOMs to slip seamlessly into your security setup, skipping the usual tedious list parsing. And calling out unknown dependencies? Matters more than ever, especially considering the tangled web modern software weaves.

I noticed they scrapped the separate access control section (now merged with distribution guidance). Feels like they’re cutting down on red tape rather than piling it on, which is surprising—but welcome. The focus here clearly aims at making SBOMs practical at scale, not just ticking off compliance boxes.

So, if we’re on the SBOM route (spoiler alert: we should be), this revamped guide touches our implementation pretty closely. The comment window is open till early October, so if anything seems off for our needs, it’s time to speak up. They appear to genuinely want industry feedback before finalizing this thing.