ARTICLE
8 October 2025

Software Bill Of Materials Guidance For Government Contractors

GT
Greenberg Traurig, LLP

Contributor

Greenberg Traurig, LLP has more than 2,850 attorneys across 49 locations in the United States, Europe, the Middle East, Latin America, and Asia. The firm’s broad geographic and practice range enables the delivery of innovative and strategic legal services across borders and industries. Recognized as a 2025 BTI “Best of the Best Recommended Law Firm” by general counsel for trust and relationship management, Greenberg Traurig is consistently ranked among the top firms on the Am Law Global 100, NLJ 500, and Law360 400. Greenberg Traurig is also known for its philanthropic giving, culture, innovation, and pro bono work. Web: www.gtlaw.com.
Broadly, NTIA's SBOM framework provides a standardized mechanism for recording software inventory and has become an increasingly critical part of securing the software supply chain at the component level
United States Government, Public Sector

Go-To Guide:

  • CISA's updated SBOM guidance supplements the minimum elements to enhance transparency in software supply chains through expanded data fields and improved automation support.
  • Organizations should consider risk-based approaches to SBOM development that identify dependencies and potential vulnerabilities in software components.
  • Contractors interested in the Golden Dome for America program will need to prepare comprehensive bills of materials with component-level documentation throughout the supply chain.

In June 2025, the Cybersecurity and Infrastructure Security Agency (CISA) issued draft updated guidance for public comment on the Minimum Elements for a Software Bill of Materials (SBOM), which the National Telecommunications and Information Administration (NTIA) first published in 2021 for federal agencies in response to Executive Order 14028 on Improving the Nation's Cybersecurity. SBOMs provide those who produce, choose, and operate software with information that enhances their understanding of the software supply chain. Broadly, NTIA's SBOM framework provides a standardized mechanism for recording software inventory and has become an increasingly critical part of securing the software supply chain at the component level. CISA's updated guidance recognizes the rapid growth and distinct developments in the ecosystem, including SaaS in cloud environments and AI systems.

SBOM Guidance

NTIA's original framework prescribed three minimum elements for recordkeeping on the details and supply chain relationships concerning software development: Data Fields, Automation Support, and Practices and Processes. Key goals included driving transparency through time-stamped identification of software components, securing the software ecosystem through license and vulnerability management, and automation support for scale via machine-readability.

CISA's recent guidance builds upon these minimum elements to help enhance the transparency and security of an ever-growing and active software supply chain:

  • Data Fields – CISA proposed updates to and introduced new SBOM data fields that should accompany each software component (and subcomponent). The revised data fields, now totaling nine, include the following updates:

– Built-in distinction between the SBOM Author and the Software Producer, which may be identical where the author is also the software component's originator or manufacturer. In other cases, where the SBOM Author is a distinct entity, the updated data fields seek to help account for differences in entity roles and responsibilities, particularly where open-source software projects or distributors are involved.

– Additional context for Software Identifiers, which should be machine-processable and help drive automated analysis. Where common software identifiers are available, they are preferred. Where multiple identifiers are applicable, the SBOM Author should include all of them.

– Introduces new data fields, including Component Hash, License, Tool Name, and Generation Context, which are designed to provide more visibility into each software component artifact, relevant conditions of use, and applicable build lifecycle phase.

  • Automation Support – This minimum element refers to the underlying need for data format compatibility to support management of software component data at scale. CISA's guidance reflects an overall shift away from Software Identification (SIWD) tags but reiterates Software Package Data eXchange and CycloneDX as widely used, interoperable, and machine-processable data formats that should be adopted. CISA also highlighted the need for regular reassessments and removals of data formats that may become incompatible, no longer maintained, or ineffective.
  • Practices and Processes – CISA proposed a more concise description of how organizations should approach SBOM development and integration in their internal policies, contractual relationships, and procedures. CISA highlighted the importance of risk-based decisions that draw upon a mapping of component-specific dependencies and an ability to identify whether reported vulnerabilities are germane to a particular software component. CISA encourages organizations to share and update SBOM data across the supply chain and consider implementing need-based access controls.

Implications for Government Contractors

A number of industry participants responded to CISA's request for public comments by the deadline earlier this month. While SBOM requirements have not been widely rolled out in solicitations, contractors may expect to see component-level inventory requirements in certain programs.

Notably, in July 2025, the Pentagon's Acting Chief Information Officer issued a memo outlining 18 cybersecurity requirements for the Golden Dome for America (GDA) program. The memo prescribes that GDA vendors and contractors will be required to provide a complete bill of materials for hardware, software, firmware, microelectronics, chemical, and raw materials. Relatedly, all vendors must ensure that system components are genuine and will need to comply with documentation, monitoring, and validation requirements, including supplier identification throughout the supply chain.

As government contractors continue to develop and update their SBOMs, particularly those that are posturing to take an active role in the GDA program, they should stay apprised of updates to CISA's pre-decisional draft and further guidance on the SBOM framework in the ensuing months.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More