CISA and NSA Release Joint SBOM Guidance with 19 International Partners
CISA and NSA, along with 19 international partners, released comprehensive guidance urging global adoption of Software Bills of Materials to strengthen software supply chain security.
The Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA) released joint guidance on Software Bill of Materials (SBOM) implementation, developed in collaboration with cybersecurity agencies from 19 countries. The comprehensive guidance document emphasizes cross-border adoption of SBOM practices to improve software supply chain transparency and security amid increasing supply chain attacks targeting software dependencies.
SBOM Fundamentals
A Software Bill of Materials is a formal, machine-readable inventory of all components, libraries, and dependencies used in a software product. Similar to ingredient lists on food packaging, SBOMs provide transparency into software composition, enabling organizations to rapidly identify vulnerable components when security issues are disclosed. The practice has gained urgency following high-profile supply chain attacks like SolarWinds and Log4Shell, where organizations struggled to determine if they were exposed to compromised dependencies.
International Collaboration
The guidance represents one of the largest coordinated efforts in software supply chain security, with cybersecurity agencies from North America, Europe, Asia, and Oceania contributing to its development. This international alignment is particularly significant as software supply chains span global boundaries—a vulnerability discovered in an open source component in one country can instantly impact systems worldwide. The participating nations are encouraging both software producers and consumers to integrate SBOM generation and consumption into their development and procurement processes.
Regulatory Context
The guidance arrives as multiple jurisdictions implement software supply chain regulations. The European Union's Cyber Resilience Act mandates SBOM disclosure for software products sold in EU markets, while U.S. government agencies now require SBOMs from software vendors under federal purchasing guidelines. The international guidance provides a harmonized framework to help organizations comply with these evolving requirements while improving their security posture through better visibility into software dependencies.
Related Articles
Cloudflare 2026 Threat Report: 230 Billion Daily Blocked Threats and the Rise of Credential Attacks
Cloudflare has published its inaugural annual threat report revealing the company blocks over 230 billion threats daily across 20% of global web traffic. DDoS attacks doubled year-over-year to 47.1 million incidents, with the largest reaching a record 31.4 Tbps, while bots now account for 94% of all login attempts.
HashiCorp Patches Consul Arbitrary File Read Vulnerability in Kubernetes Auth
HashiCorp has released emergency patches for Consul to address CVE-2026-2808, a medium-severity vulnerability allowing arbitrary file reads when Kubernetes authentication is enabled. The fix also adds HTTP server timeouts to prevent Slowloris denial-of-service attacks against Consul agent endpoints.
Let's Encrypt Now Issues Six-Day Certificates and IP Address Certificates via Certbot
Let's Encrypt and the EFF have announced support for six-day (160-hour) certificates and IP address certificates through Certbot 5.3 and 5.4. The ultra-short-lived certificates reduce the impact window of compromised keys by design, while IP address certificates enable HTTPS for services identified by address rather than hostname.