New CISA SBOM Minimum Elements and NIST DevSecOps Documents Soliciting Comments

CISA has proposed a major update over 2021 NTIA SBOM Minimum Elements, that is 2025 Minimum Elements for a Software Bill of Materials (SBOM).

Currently, this is a draft publication soliciting comments. Community organizations, including OWASP and OpenSSF are working on the coordinated repsonse.

Major updates inlcude Coverage - where previously SBOMs were required to provide top-level dependencies only, now transitive dependencies are also expected. There is also a new category of Known Unknowns where a new category is expected to list data that is known to be missing from the SBOM.

Another major update is inclusion of Component Hash. This is currently one of contentious points, as there are cases where it is difficult to pinpoint what this hash should be (i.e. for embedded libraries).

The document is also clarifying definitions of several fields, including SBOM Author and Software Producer.

Another new interesting document that is currently open for public comments is NIST SP 1800-44A - Secure Software Development, Security, and Operations (DevSecOps) Practices. This is a high-level document that outlines a set of practices that are expected to be followed by organizations to ensure secure software development, security, and operations.

An interesting point is that it references NIST SP 800-218 - Secure Software Development Framework (SSDF). As we previously wrote, SSDF is identified as a foundation upon which future industry guidance in regards to SBOMs and attestations will be built.

Therefore, while the current document is very high level, it should be seen in conjuction with upcoming SSDF updates.