SBOM Minimum Elements: Building on a Strong Foundation

References

• 2021 NTIA SBOM Minimum Elements - July 2021
• 2024 CISA Framing Document (3rd Edition) - April 2024
• 2025 CISA Draft Minimum Elements - August 2025

Key Takeaways

• The 2025 draft closely follows the 2024 Framing Document, elevating several attributes from “recommended” to mandatory.
• Substantive upgrades: cryptographic hash, license, tool name, and generation context are now required.
• Terminology updates: Supplier → Software Producer, Depth → Coverage, Mistakes → Updates.
• Scope narrowing: the Framing Document introduced Copyright Notice as a baseline attribute, but the 2025 draft does not include it.A Journey of Continuous Evolution
• The SBOM journey has never been about a single moment. From the 2021 NTIA minimum elements, to the 2024 CISA Framing Document, and now the 2025 CISA Draft Minimum Elements, we see an ongoing process of refinement. Each step doesn’t replace the previous one — instead, it builds on it, incorporating lessons learned, feedback from the community, and practical realities from implementation.
• This continuous evolution reflects the maturing understanding of what it means to make SBOMs both useful and actionable. The 2025 draft shows clear continuity: it respects the foundation of 2021, integrates the maturity guidance from 2024, and strengthens the requirements to ensure SBOMs can support compliance, vulnerability management, and broader supply chain transparency.

What Changed in 2025

In the Appendix B Summary of Minimum Elements Changes, CISA highlights several refinements:

• Terminology modernization: “Supplier” becomes “Software Producer” to reduce ambiguity and distinguish clearly from the SBOM Author.
• Fallback clarity: If a component has no version number, the SBOM can use a file creation date — ensuring that nothing gets lost in the gaps.
• Raising the bar: Cryptographic hash, license, generation context, and tool provenance all move from “recommended” or “suggested” to mandatory.
• Simplification: Access Control is folded into Distribution & Delivery to reduce duplication and streamline expectations.
• Strengthened declarations: Known Unknowns must now be categorized explicitly as “unknown,” “redacted,” or “not applicable.”
• Coverage clarity: What was once called “Depth” is now “Coverage,” broadening scope to include configuration files and instances.

These refinements signal a desire to make SBOMs more complete, machine-actionable, and trustworthy.

How 2025 Builds on 2021 and 2024

• From 2021 (NTIA): The foundation was laid, a baseline of supplier, component name, version, identifiers, timestamp, relationships, and depth. This was the first consensus on “what an SBOM must contain.”
• From 2024 (CISA Framing Document): The idea of maturity levels emerged. It recognized the difference between minimum, recommended, and aspirational practices. Attributes like license and copyright were introduced into the conversation.
• Into 2025 (CISA Draft): Many of the “recommended” attributes are now baseline requirements. Ambiguities are reduced, overlaps removed, and clarity is added on how to handle edge cases (like missing versions or partial SBOMs).

This is not a break with the past but an integration of the past, each version layering more clarity and stronger expectations onto the same shared vision.

Why This Matters

The 2025 draft helps move SBOMs from good intentions to consistent practice:

• Interoperability improves because tools and producers now have clearer guidance on mandatory elements.
• Automation is enabled by requiring hashes, identifiers, and provenance that machines can parse reliably.
• Trust increases when coverage and known-unknowns are not left to interpretation but are declared transparently.

In other words, the 2025 draft makes SBOMs more useful not just for compliance, but for everyday risk management and software assurance.

The 2025 CISA Draft Minimum Elements is best understood as the next step in a living standard. Far from being a cosmetic refresh, it represents the steady evolution of SBOM expectations:

• 2021 gave us a foundation.
• 2024 added context and maturity guidance.
• 2025 turns much of that guidance into a new baseline.

Together, they show a clear trajectory: SBOMs are maturing from a niche security artifact into a core enabler of software supply chain transparency and trust.