International coalition, led by the United States and involving fourteen other nations, unveils shared principles for Software Bill of Materials documentation
A significant step forward in global cybersecurity has been taken with the publication of the joint guidance document titled "A Shared Vision of Software Bill of Materials (SBOM) for Cybersecurity" on September 3. The document, signed by 21 government agencies from 15 countries, including the US Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Authority of South Africa, aims to encourage the widespread adoption of SBOMs across sectors and borders.
Allan Friedman, who led CISA's SBOM efforts between August 2021 and July 2025, welcomed the publication of the joint guidance. Friedman emphasized that while the document does not contain ground-breaking information, it's great to have such broad input from so many countries. He further suggested that further steps are needed, including the harmonization of technical implementations to improve the effectiveness of SBOMs.
Josh Bressers, VP of security at Anchore, described the effort as a "great" initiative. Bressers stated that this high-level agreement is only the logical first step to see a global adoption of software transparency through SBOMs. His wish for the next step is to see common legislation and guidance on software supply chain security between the signatory countries.
The document outlines key terms and concepts related to SBOMs, including a common definition, value proposition, and implementation methods. It describes the roles of SBOM producers, end-users (referred to as "choosers"), operators, and national cybersecurity organizations.
Lukáš Kintr, director of the Czech National Cyber and Information Security Agency (NÚKIB), emphasized the increasing complexity of software and the importance of SBOMs in creating truly secure and resilient software. Nobutaka Takeo, director of the Cybersecurity Division at the Japanese Ministry of Economy, Trade and Industry's (METI) Commerce and Information Policy Bureau, stated that Japan released SBOM Guidance 2.0 last year and will continue to raise awareness of SBOMs among relevant stakeholders while actively contributing to international discussions on the topic.
The joint guidance also includes the signatures of the Australian Signals Directorate's Australian Cyber Security Centre (ASD's ACSC), the Canadian Centre for Cyber Security (Cyber Centre), the French Cybersecurity Agency (ANSSI), Germany's Federal Office for Information Security (BSI), the Indian Computer Emergency Response Team (CERT-In), Italy's National Cybersecurity Agency (ACN), Japan's National Cybersecurity Office (NCO), the Netherlands' National Cyber Security Centre (NCSC-NL), New Zealand's National Cyber Security Centre (NCSC-NZ), Poland's Research and Academic Computer Network (NASK), the Cyber Security Agency of Singapore (CSA), Slovakia's National Security Authority (NBÚ), South Korea's National Intelligence Service/National Cyber Security Center (NIS/NCSC) and the Korean Internet and Security Agency (KISA).
The guidance encourages the integration of SBOMs into security workflows for better risk management. This joint effort signifies a significant milestone in the global fight against cyber threats, aiming to foster a more secure and resilient digital landscape.
