The cybersecurity agency is inviting comments on updated standards that could shape how healthcare and other industries assess third-party software risk.
The Cybersecurity and Infrastructure Security Agency (CISA) has released updated guidance on Software Bills of Materials (SBOMs) and is seeking public feedback before finalizing the document. The updated draft, titled 2025 Minimum Elements for a Software Bill of Materials, expands upon earlier recommendations and tries to improve software transparency and supply chain security.
SBOMs are machine-readable lists that identify all components and dependencies in a software product. In healthcare, where third-party vulnerabilities can bypass otherwise strong internal security controls, SBOMs are a necessary tool for identifying hidden risks. The Food and Drug Administration (FDA) already mandates SBOMs for premarket submissions of medical devices.
Third-party software remains one of the most severe blind spots in healthcare cybersecurity. While organizations can manage their own networks, embedded components from external vendors often lack visibility, making patching or mitigation difficult.
The updated guidance shows the growing maturity of SBOM practices and calls for machine-processable formats that can integrate into larger cybersecurity workflows. Notably, the new draft includes expanded SBOM data fields such as:
Although the document is aimed at federal agencies, CISA encourages all stakeholders including healthcare providers and software vendors to adopt the standards. Public comments will be accepted through October 3, 2025.
“SBOMs provide a detailed inventory of software components, enabling organizations to identify vulnerabilities, assess risk, and make informed decisions about the software they use and deploy,” CISA stated. The agency stated the importance of formats that support scalability and integration into broader security frameworks, given the increasing adoption of SBOMs across both public and private sectors.
An SBOM (Software Bill of Materials) is a detailed list of all software components and dependencies in a product. It helps organizations detect vulnerabilities, understand risk exposure, and respond quickly during a security incident.
By identifying all embedded components, including open-source or third-party code, SBOMs allow security teams to assess the risk of each element, even those not directly built by the primary software vendor.
While the FDA mandates SBOMs for medical device submissions, CISA’s guidance broadens the application to general software procurement and supply chain security, potentially aligning healthcare cybersecurity with federal best practices.
The update introduces fields for the name of the SBOM creation tool, cryptographic hashes for integrity verification, and improved metadata for version control and software lifecycle management.
CISA is accepting public comments until October 3, 2025. Feedback can be submitted through the agency’s official comment portal to influence the final version of the SBOM guidance.