All news with #software supply chain security tag

📝 CISA has issued a request for public comment on an updated guideline defining minimum elements for a software bill of materials (SBOM), intending to reflect advances in tooling and wider adoption since the 2021 NTIA document. The effort traces to President Biden’s EO 14028 and subsequent OMB guidance (M-22-18) requiring improved software supply chain security. Recent shifts in leadership and the OpenSSF’s announcement about the SBOM working group have reshaped the community landscape. Stakeholders may submit comments through October 3, 2025.

📣 CISA released a draft Minimum Elements for a Software Bill of Materials (SBOM) for public comment, updating the baseline to reflect advances in tooling and increased SBOM adoption since 2021. The guidance adds elements such as component hash, license, tool name, and generation context, and clarifies existing fields like SBOM author and software producer. Comments are open through October 3, 2025.

📝 CISA opened a public comment period on updated guidance for the Minimum Elements for a Software Bill of Materials (SBOM), with submissions accepted through October 3, 2025. The draft refines required data fields, strengthens automation and machine-readable support, and clarifies operational practices to help organizations produce scalable, interoperable, and comprehensive SBOMs. Stakeholders are encouraged to provide feedback via the Federal Register to inform a future final release.

🔍 CISA, with partners including DARPA, OUSD R&E, and the NSA, is leading an interagency effort to close a national gap in software understanding that endangers critical infrastructure. A new Sandia National Laboratories report, The National Need for Software Understanding, describes the gap’s causes, risks, and options for remediation. CISA urges manufacturers to design software for independent analysis and invites experts and mission owners to engage on research priorities.

🔐 Google’s Open Source Security Team today announced OSS Rebuild, a new project to reproduce upstream artifacts and supply SLSA-grade provenance for popular package ecosystems. The service automates declarative build definitions and reproducible builds for PyPI, npm, and Crates.io, generating attestations that meet SLSA Build Level 3 requirements without requiring publisher changes. Security teams can use the project to verify published artifacts, detect unexpected embedded source or build-time compromises, and integrate the resulting provenance into vulnerability response workflows. The project is available as a hosted data set and as open-source tooling and infrastructure for organizations to run their own rebuild pipelines.