Watch the Deep Dive of this post
Cybersecurity Compliance Alert: What Government Contractors Need to Know About Updated SBOM Guidance
The Software Bill of Materials (SBOM) has rapidly emerged as a critical mechanism for securing the modern software supply chain. Broadly, the framework established by the National Telecommunications and Information Administration (NTIA) provides a standardized way to record software inventory, securing the supply chain at the component level.
This focus intensified following Executive Order 14028 on Improving the Nation’s Cybersecurity, which led to the NTIA first publishing minimum elements for SBOMs in 2021 for federal agencies.
Enhancing Transparency: CISA’s Updated Guidance
In June 2025, the Cybersecurity and Infrastructure Security Agency (CISA) issued draft updated guidance intended to supplement the original minimum elements and enhance transparency in software supply chains. This update recognizes the rapid growth and distinct developments in the ecosystem, including the proliferation of Software as a Service (SaaS) in cloud environments and the rise of AI systems.
The original NTIA framework prescribed three core minimum elements: Data Fields, Automation Support, and Practices and Processes. CISA’s recent guidance builds substantially on these areas:
1. Expanded Data Fields
CISA updated and introduced new data fields that should accompany each software component and subcomponent, totaling nine revised fields. Key changes include:
- Differentiating Roles: A built-in distinction is made between the SBOM Author and the Software Producer. This is vital in complex scenarios involving open-source projects or distributors, where the author may be a distinct entity from the component’s originator.
- Machine-Processable Identifiers: Additional context is required for Software Identifiers, which must be machine-processable to support automated analysis. Authors are advised to include all applicable identifiers, prioritizing common formats.
- New Visibility Fields: New data fields have been introduced, such as Component Hash, License, Tool Name, and Generation Context. These are designed to provide greater visibility into the software component artifact, conditions of use, and the relevant build lifecycle phase.
2. Automation and Interoperability
The goal of Automation Support is ensuring data format compatibility for managing component data at scale. CISA’s guidance emphasizes the adoption of widely used, interoperable, and machine-processable data formats like Software Package Data eXchange and CycloneDX. While shifting away from older Software Identification tags, CISA highlighted the need for organizations to regularly reassess and remove data formats that become incompatible or are no longer maintained.
3. Risk-Based Practices and Processes
CISA proposed a more concise description for how organizations should approach SBOM development and integration into internal policies and contractual relationships. Organizations are strongly encouraged to make risk-based decisions that utilize a mapping of component-specific dependencies. This enables the ability to identify whether reported vulnerabilities are actually germane (relevant) to a particular software component. Furthermore, organizations should share and update SBOM data across the supply chain and consider implementing need-based access controls.
Critical Implications for Government Contractors
While comprehensive SBOM requirements have not yet been universally implemented in solicitations, contractors should anticipate seeing component-level inventory requirements emerge in specific high-profile programs.
The Golden Dome for America (GDA) program offers a clear example of future expectations. In July 2025, the Pentagon outlined 18 cybersecurity requirements for GDA. Vendors and contractors posturing for this program will need to prepare comprehensive bills of materials, providing component-level documentation throughout the supply chain.
Notably, the GDA mandate requires a complete bill of materials not just for software, but also for hardware, firmware, microelectronics, chemical, and raw materials. Vendors must also guarantee that system components are genuine and comply with strict documentation, monitoring, and validation requirements, including detailed supplier identification.
Contractors aiming for government roles must begin developing and updating their SBOMs now, particularly those interested in the GDA program, and stay apprised of further guidance on the SBOM framework in the coming months.
Tags: SBOM, Government Contracts, CISA, NTIA, Cybersecurity, Software Supply Chain, Golden Dome for America, Compliance, Risk Management, Component Inventory, marketus