CISA Issues SBOM Sharing Guidance — September 14, 2022

Executive briefing: On 14 September 2022 the Cybersecurity and Infrastructure Security Agency released its Software Bill of Materials (SBOM) Sharing Guidance. The document explains how producers and consumers should negotiate SBOM formats, automate delivery, handle sensitive data, and embed SBOM review into vulnerability management programmes.

Key guidance themes

• Format flexibility. Organizations should agree on SPDX, CycloneDX, or SWID based on use cases, ensuring tooling can generate, parse, and validate the chosen structure.
• Automation and scale. CISA encourages API-based SBOM exchanges and version control integration so updates accompany software releases and vulnerability disclosures.
• Handling sensitive data. Parties should classify SBOM data, redact security-sensitive components when necessary, and document expectations in procurement language.

Actions for producers and operators

• Assess SBOM generation capabilities across build pipelines and ensure every critical software release includes machine-readable manifests.
• Update supplier questionnaires and contracts to specify SBOM formats, delivery frequency, and support for vulnerability correlation tooling.
• Integrate SBOM ingestion with vulnerability scanners and asset inventories so newly disclosed flaws can be triaged rapidly.

Assurance considerations

• Regulatory alignment. Align SBOM workflows with U.S. Executive Order 14028 directives, FDA medical device expectations, and forthcoming EU CRA requirements.
• Evidence collection. Maintain SBOM delivery logs, tooling screenshots, and remediation playbooks for audits and customer due diligence.
• Supplier enablement. Provide templates and sample manifests to small vendors that may lack automation, reducing onboarding friction.

Zeph Tech is updating SBOM contract clauses and ingestion pipelines so security teams can operationalise CISA’s sharing recommendations at scale.