In a landmark collaboration, cybersecurity and intelligence agencies from 15 countries have aligned on a shared vision for Software Bills of Materials (SBOMs), issuing new joint guidance to strengthen global supply chain security.
The document, titled "A Shared Vision of Software Bill of Materials (SBOM) for Cybersecurity," was published on September 3.
It was signed by 21 government agencies from 15 countries, including the US Cybersecurity and Infrastructure Security Agency (CISA) and the NSA.
It outlines key terms and concepts related to SBOMs, including a common definition of what an SBOM is, the value proposition of SBOMs, and how to implement them.
It describes the roles of SBOM producers, end-users (referred to as “choosers” in the document), operators and national cybersecurity organizations.
Additionally, the guidance encourages widespread SBOM adoption across sectors and borders, harmonized technical implementations to reduce complexity and cost and integration of SBOMs into security workflows for better risk management.
“This milestone reflects a growing international consensus on the importance of software transparency in securing the digital supply chain,” a CISA spokesperson commented.
Lukáš Kintr, director of the Czech National Cyber and Information Security Agency (NÚKIB), one of the signatories, emphasized the increasing complexity of software that organizations must face.
“Today’s software often consists of hundreds of components originating from various sources and libraries. SBOM brings essential transparency into this complex environment and clearly shows what the software is made of. I regard SBOM as a key step toward creating truly secure and resilient software – already from its design,” he said.
Nobutaka Takeo, director of the Cybersecurity Division at the Japanese Ministry of Economy, Trade and Industry’s (METI) Commerce and Information Policy Bureau, stated: “We are pleased to see that the importance of SBOM is being internationally recognized through this guideline. Last year, Japan released SBOM Guidance 2.0, and we will continue to raise awareness of SBOM among relevant stakeholders while actively contributing to international discussions on the topic."
Working Towards SBOM Harmonization and Legislation
Allan Friedman, who led CISA’s SBOM efforts between August 2021 and July 2025, welcomed the publication of the joint guidance.
In a LinkedIn post, he emphasized that it was “the largest number of organizations that have ever joined CISA in an international document.”
“There is nothing here ground-breaking, but it's great to have such broad input from so many countries,” he added, before suggesting further steps are still needed, including the harmonization of technical implementations.
“Divergent implementations could hinder widespread adoption and sustainable implementation of SBOM. An aligned and coordinated approach to SBOM will improve effectiveness while reducing costs and complexities,” he said.
Speaking to Infosecurity, Josh Bressers, VP of security at Anchore and leader of the OpenSSF SBOM Everywhere working group, described the effort as a “great” initiative.
Nevertheless, he corroborated Friedman’s view, stating that this high-level agreement is only “the logical first step to see a global adoption of software transparency through SBOMs.”
Bressers’ wish for the next step is to see common legislation and guidance on software supply chain security between the signatory countries.
“Most producers operate on a global stage now, [regulations] like the EU’s Cyber Resilience Act (CRA) are going to affect a huge number of companies. No doubt other countries will create similar guidance. If we don't have a common vision, it's going to be very difficult to meet all the requirements,” he concluded.
Alongside CISA, the NSA, NÚKIB and METI, signatory organizations included:
- The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)
- The Canadian Centre for Cyber Security (Cyber Centre)
- The French Cybersecurity Agency (ANSSI)
- Germany’s Federal Office for Information Security (BSI)
- The Indian Computer Emergency Response Team (CERT-In)
- Italy’s National Cybersecurity Agency (ACN)
- Japan’s National Cybersecurity Office (NCO)
- The Netherlands’ National Cyber Security Centre (NCSC-NL)
- New Zealand’s National Cyber Security Centre (NCSC-NZ)
- Poland’s Research and Academic Computer Network (NASK)
- The Cyber Security Agency of Singapore (CSA)
- Slovakia’s National Security Authority (NBÚ)
- South Korea’s National Intelligence Service/National Cyber Security Center (NIS/NCSC) and the Korean Internet and Security Agency (KISA)
Read more: CISA Seeks Biden Era's SBOM Minimum Requirements Guideline Change