NSA, CISA and others urge for unified approach to strengthen cybersecurity resilience
On 3 September 2025, cybersecurity agencies from the United States, Europe, Asia, and Oceania released joint guidance promoting Software Bills of Materials (SBOM) as a tool for improving transparency in software supply chains. The document highlights how SBOMs can help organizations manage vulnerabilities, strengthen risk management, and support secure-by-design practices across critical sectors.
On 3 September 2025, a coalition of national cybersecurity agencies, led by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and including partners from Europe, Asia, Oceania, and North America, published joint guidance on the role of Software Bills of Materials (SBOM) in strengthening cybersecurity. The document, titled A Shared Vision of Software Bill of Materials for Cybersecurity, sets out the benefits of adopting SBOMs across the software ecosystem and outlines how greater transparency in software components can reduce risks, lower costs, and improve resilience.
An SBOM is described as a formal, machine-readable record of the components used to build software, similar to a ‘list of ingredients.’ By documenting open-source and proprietary modules, SBOMs allow organisations to identify vulnerabilities, trace dependencies, and verify the origins of software components. The guidance emphasises that SBOMs can be integrated with other datasets, such as vulnerability databases and security advisories, to enable faster and more accurate responses to emerging threats. The widely publicised Log4Shell vulnerability in 2021 is cited as an example where organisations with SBOMs were able to react more efficiently than those without.
The value of SBOMs extends across the software lifecycle. They help producers track upstream components, choosers make better procurement decisions, and operators manage risks in deployed systems. For governments and national cybersecurity agencies, SBOMs support vulnerability disclosure, procurement processes, and coordinated responses across sectors. The guidance also highlights SBOM’s role in advancing the “secure by design” approach, which encourages software manufacturers to embrace transparency and accountability in supply chains. Automated tools for SBOM generation, management, and use are seen as critical to achieving this.
The publication concludes that wider and more harmonised adoption of SBOM practices will improve global cybersecurity by providing a clearer picture of software supply chains. Aligning technical standards and promoting interoperability are considered essential to ensure effective and sustainable implementation.
