Software Bills of Materials (SBOMs) are becoming a cornerstone for improving software supply-chain transparency and resilience. An SBOM is a detailed inventory of the components that make up a piece of software. It is essentially a software ingredient list that enables agencies and organizations to see exactly what’s inside the applications they use. This visibility is crucial for identifying known vulnerabilities, managing third-party and open-source dependencies, and making informed risk decisions.
In 2025, several key actions further formalized how SBOMs are used in government.
- In September, the Cybersecurity Infrastructure Agency (CISA), the National Security Agency, and international partners from 14 countries released “A Shared Vision of Software Bill of Materials (SBOM) for Cybersecurity.” This joint guidance outlines a common definition of SBOMs and the roles different stakeholders play—producers, choosers, and operators of software. By harmonizing terminology and encouraging integration of SBOMs into security workflows, this guidance promotes not just adoption but global operational consistency to further the use of SBOMs.
- CISA further evolved domestic federal SBOM expectations with its 2025 draft guidance on minimum elements for SBOMs. This updated draft builds on the original 2021 guidance for SBOM minimum elements, refining what constitutes a high-quality and actionable SBOM. The new guidance emphasizes machine-readable formats, richer metadata (including component hashes and licensing), and support for automation. This guidance was open to public comment for further revision, involving industry and government practitioners in shaping how SBOM standards evolve.
Together, these two guiding documents indicate key trends for SBOM use in federal agencies:
- Moving beyond definition to implementation: Broad, collaborative guidance is now firmly established, moving SBOMs beyond conceptual frameworks into actionable operational tools.
- Harmonization across agencies and internationally: Shared guidance with international partners aims to reduce duplication and technical friction that could impede adoption.
- Machine-ready SBOMs will be the expectation: Updates to minimum elements reflect real-world needs for standardized, detailed, and automated SBOM data.
- SBOMs are ripe for automation: As agencies look to meet AI-use and modernization goals, SBOMs present a perfect opportunity to introduce new automation tools into agency environments. These tools can remove the manual effort associated with administering SBOMs.
To learn more about securing the software supply chain, check out these resources from GovWhitePapers and GovEvents:
- 2025 Minimum Elements for a Software Bill of Materials (white paper) – This CISA draft refines the foundational elements of a Software Bill of Materials (SBOM), helping agencies and organizations understand and manage the software components they use. It updates the 2021 baseline with new fields like component hash, license, and tool name, and clarifies practices for cloud, AI, and automation.
- Going Beyond the SBOM (white paper) – The SBOM provides visibility, yet it only scratches the surface of the threats hidden within complex commercial applications. By going beyond the SBOM, enterprises gain actionable insights to strengthen trust and resilience across their software supply chains.
- The Future of Open Source Security: A Trust-First Approach to the Federal Supply Chain (white paper) – This white paper offers strategic insights for federal leaders looking to navigate the complexities of securing open-source software. From dynamic SBOMs and modernized procurement practices to AI governance and continuous assurance, this guide highlights actionable steps to build resilient, trust-based software supply chains.
- 10th Insider Risk Summit West (March 18-19, 2026; Monterey, CA) – Leading security experts, advocates, and decision-makers from across both the public and private sectors share their perspectives. This event will provide attendees with critical insight into the evolving insider risk landscape, along with the technologies, policies, and strategies required to detect, mitigate, and respond to these threats.
- Securing the Cyber/Software Supply Chain 2026 (March 26, 2026; virtual) – Expert speakers from government and industry will share actionable insights and real-world approaches to securing mission-critical software infrastructure.
Search GovWhitePapers and GovEvents to find even more insights on SBOM and software supply chain security.
