United States
Australia
United Kingdom
Europe
New Zealand
Canada
The National Security Agency has joined the Cybersecurity and Infrastructure Security Agency and international partners to publish joint guidance promoting a unified approach to software bills of materials, aiming to strengthen software supply-chain security and streamline adoption across industry. The Cybersecurity Information Sheet, titled “A Shared Vision of Software Bill of Materials (SBOM) for Cybersecurity,” encourages software makers, buyers, and operators to build SBOM generation, analysis, and sharing into existing security programs.
SBOMs provide an inventory of a product’s components and dependencies, giving organizations clearer visibility into what they run and rely on. The new guidance highlights how improved component transparency can help identify and mitigate supply-chain risks, and it offers risk-management practices and use cases for reducing exposure to known vulnerabilities. The document also ties SBOM adoption to CISA’s Secure by Design initiative, which promotes security features built into products by default.
The authoring agencies call for alignment on a common vision to avoid fragmented implementations that add cost and complexity and could impede broad, sustainable use. The report arrives amid continued pressure on vendors and critical-infrastructure operators to manage software supply-chain risk more systematically following high-profile incidents and the increased focus from governments and regulators on secure development practices.
The report is available at: https://media.defense.gov/2025/Sep/03/2003791481/-1/-1/0/JOINT-GUIDANCE-A-SHARED-VISION-OF-SOFTWARE-BILL-OF-MATERIALS-FOR-CYBERSECURITY.PDF. Additional resources can be found at NSA’s cybersecurity guidance library (https://www.nsa.gov/Press-Room/Cybersecurity-Advisories-Guidance/) and CISA’s Secure by Design page (https://www.cisa.gov/securebydesign).
