Minimum Elements For a Software Bill of Materials (SBOM)

On July 12th the NTIA and the Department of Commerce released a document of interest to any software developer:

The Executive Order (14028) on Improving the Nation’s Cybersecurity directs the Department of Commerce, in coordination with the National Telecommunications and Information Administration (NTIA), to publish the “minimum elements” for a Software Bill of Materials

An SBOM is a formal record containing the details and supply chain relationships of various components used in building software.

You have to include this for any of the elements or third party tools included in your software. Say you utilize a WYSIWYG Rich Text editor from a popular company or even a proprietary CSS/JQuery template, you need to track these bills of material as closely you do your own code.

You need the following data fields:

You must include thew ability to automate (this means including a parser and publishing metadata) using one of the following

An SBOM is much more than just metadata. You need to include your policy and procedures around security and updates. You need to include:

The paper released goes into much greater detail on all of these elements.


As a coalition we want businesses to focus on automation of compliance. We also see software development as a huge growth opportunity for the state and want to help any small business who wants to learn the ins and outs of selling software to the government.

(CMMC just Department of Defense now but Supply Chain Risk Management with a -171 baseline to protect CUI coming for all agencies and all contractors. Please track the changes related to Executive Order (14028) on Improving the Nation’s Cybersecurity)

Featured image: “Software Bugs” by FastJack is licensed under CC BY

Leave a comment

Your email address will not be published. Required fields are marked *