{"description":"Documents matching 'software bill of materials'","count":10000,"total_pages":50,"next_page_url":"https://www.federalregister.gov/api/v1/documents?conditions%5Bterm%5D=software+bill+of+materials&format=json&page=2","results":[{"title":"Request for Comment on 2025 Minimum Elements for a Software Bill of Materials","type":"Notice","abstract":"The Cybersecurity and Infrastructure Security Agency (CISA) announces the publication and request for public comment on draft guidance entitled, \"2025 Minimum Elements for a Software Bill of Materials (SBOM)\" (2025 CISA SBOM Minimum Elements), which updates the elements of an SBOM to reflect improvements in SBOM tooling and increased maturity of SBOM implementation. CISA requests input on the clarifications and enhancements in the proposed voluntary guidance.","document_number":"2025-16147","html_url":"https://www.federalregister.gov/documents/2025/08/22/2025-16147/request-for-comment-on-2025-minimum-elements-for-a-software-bill-of-materials","pdf_url":"https://www.govinfo.gov/content/pkg/FR-2025-08-22/pdf/2025-16147.pdf","public_inspection_pdf_url":"https://public-inspection.federalregister.gov/2025-16147.pdf?1755780337","publication_date":"2025-08-22","agencies":[{"raw_name":"DEPARTMENT OF HOMELAND SECURITY","name":"Homeland Security Department","id":227,"url":"https://www.federalregister.gov/agencies/homeland-security-department","json_url":"https://www.federalregister.gov/api/v1/agencies/227","parent_id":null,"slug":"homeland-security-department"}],"excerpts":"Background \n An SBOM is a nested inventory, a list of ingredients that make up <span class=\"match\">software</span> components. The National Telecommunications and Information Administration (NTIA) published “Minimum Elements for a <span class=\"match\">Software</span> <span class=\"match\">Bill</span> of <span class=\"match\">Materials</span> (SBOM)” on July 12, 2021 (2021 NTIA SBOM Minimum Elements), as directed by Executive Order (E.O.) 14028. These minimum elements marked an important milestone for the NTIA's SBOM advancement efforts and established basic specifications for <span class=\"match\">software</span> producers and tool developers. This 2021 document was designed to establish"},{"title":"Fall 2024 Cybersecurity and Infrastructure Security Agency SBOM-a-Rama; Meeting","type":"Notice","abstract":"CISA will facilitate a public event to build on existing community-led work around Software Bill of Materials (SBOM) on specific SBOM topics. The first goal of this two-day event is to help the broader software and security community understand the current state of SBOM. Secondly, this event will foster discussion between organizations interested in exploring SBOM automation solutions and those focusing on open source and proprietary tools.","document_number":"2024-10922","html_url":"https://www.federalregister.gov/documents/2024/05/20/2024-10922/fall-2024-cybersecurity-and-infrastructure-security-agency-sbom-a-rama-meeting","pdf_url":"https://www.govinfo.gov/content/pkg/FR-2024-05-20/pdf/2024-10922.pdf","public_inspection_pdf_url":"https://public-inspection.federalregister.gov/2024-10922.pdf?1715949915","publication_date":"2024-05-20","agencies":[{"raw_name":"DEPARTMENT OF HOMELAND SECURITY","name":"Homeland Security Department","id":227,"url":"https://www.federalregister.gov/agencies/homeland-security-department","json_url":"https://www.federalregister.gov/api/v1/agencies/227","parent_id":null,"slug":"homeland-security-department"}],"excerpts":"1995,\n 7 \n \n and tracking use of third-party code is a longstanding <span class=\"match\">software</span> best practice.\n 8 \n \n \n \n \n 5 \n  A brief summary of the history of a <span class=\"match\">software</span> <span class=\"match\">bill</span> of <span class=\"match\">materials</span> can be found in Carmody, S., Coravos, A., Fahs, G. et al. Building resilient medical technology supply chains with a <span class=\"match\">software</span> <span class=\"match\">bill</span> of <span class=\"match\">materials</span>. npj Digit. Med. 4, 34 (2021). \n https://doi.org/10.1038/s41746-021-00403-w. \n \n \n \n \n 6 \n  See “Toyota Supply Chain Management: A Strategic Approach to Toyota's Renowned System” by Ananth V. Iyer, Sridhar Seshadri, and Roy Vasher—a work"},{"title":"Winter 2024 CISA SBOM-a-Rama","type":"Notice","abstract":"CISA will facilitate a public event to build on existing community-led work around Software Bill of Materials (SBOM) on specific SBOM topics. The goal of this meeting is to help the broader software and security community understand the current state of SBOM and what efforts have been made by different parts of the SBOM community, including CISA-facilitated, community-led work and other activity from sectors and governments.","document_number":"2024-04235","html_url":"https://www.federalregister.gov/documents/2024/02/29/2024-04235/winter-2024-cisa-sbom-a-rama","pdf_url":"https://www.govinfo.gov/content/pkg/FR-2024-02-29/pdf/2024-04235.pdf","public_inspection_pdf_url":"https://public-inspection.federalregister.gov/2024-04235.pdf?1709127931","publication_date":"2024-02-29","agencies":[{"raw_name":"DEPARTMENT OF HOMELAND SECURITY","name":"Homeland Security Department","id":227,"url":"https://www.federalregister.gov/agencies/homeland-security-department","json_url":"https://www.federalregister.gov/api/v1/agencies/227","parent_id":null,"slug":"homeland-security-department"}],"excerpts":"1995,\n 7 \n \n and tracking use of third-party code is a longstanding <span class=\"match\">software</span> best practice.\n 8 \n \n \n \n \n 5 \n  A brief summary of the history of a <span class=\"match\">software</span> <span class=\"match\">bill</span> of <span class=\"match\">materials</span> can be found in Carmody, S., Coravos, A., Fahs, G. et al. Building resilient medical technology supply chains with a <span class=\"match\">software</span> <span class=\"match\">bill</span> of <span class=\"match\">materials</span>. npj Digit. Med. 4, 34 (2021). \n https://doi.org/10.1038/s41746-021-00403-w. \n \n \n \n \n 6 \n  See “Toyota Supply Chain Management: A Strategic Approach to Toyota's Renowned System” by Ananth V. Iyer, Sridhar Seshadri, and Roy Vasher—a work"},{"title":"2023 CISA SBOM-a-Rama","type":"Notice","abstract":"The Cybersecurity and Infrastructure Security Agency will facilitate a public event to build on existing community-led work around Software Bill of Materials (\"SBOM\") on specific SBOM topics.","document_number":"2023-10825","html_url":"https://www.federalregister.gov/documents/2023/05/22/2023-10825/2023-cisa-sbom-a-rama","pdf_url":"https://www.govinfo.gov/content/pkg/FR-2023-05-22/pdf/2023-10825.pdf","public_inspection_pdf_url":"https://public-inspection.federalregister.gov/2023-10825.pdf?1684500322","publication_date":"2023-05-22","agencies":[{"raw_name":"DEPARTMENT OF HOMELAND SECURITY","name":"Homeland Security Department","id":227,"url":"https://www.federalregister.gov/agencies/homeland-security-department","json_url":"https://www.federalregister.gov/api/v1/agencies/227","parent_id":null,"slug":"homeland-security-department"}],"excerpts":"the <span class=\"match\">software</span> and security communities' understanding of SBOM creation, use, and implementation across the broader technology ecosystem.\n \n \n \n 2 \n  \n Id. \n at 10(j), 86 FR 26633 at 26646 (May 17, 2021).\n \n \n \n \n 3 \n  \n Ibid. \n \n \n \n \n 4 \n  \n Ibid. \n \n \n I. SBOM Background \n \n The idea of a <span class=\"match\">software</span> <span class=\"match\">bill</span> of <span class=\"match\">materials</span> is not novel.\n 5 \n \n It has been discussed and explored in the <span class=\"match\">software</span> industry for many years, building on industrial and supply chain innovations.\n 6 \n \n Academics identified the potential value of a “<span class=\"match\">software</span> <span class=\"match\">bill</span> of <span class=\"match\">materials</span>” as"},{"title":"Request for Comment on Software Identification Ecosystem Option Analysis","type":"Notice","abstract":"The Cybersecurity and Infrastructure Security Agency (CISA) announces the publication of \"Software Identification Ecosystem Option Analysis,\" which is a white paper on software identification ecosystems and requests public comment on the paths forward identified by the paper and on the analysis of the merits and challenges of the software identifier ecosystems discussed. Additionally, CISA requests input on analysis or approaches currently absent from the paper.","document_number":"2023-23668","html_url":"https://www.federalregister.gov/documents/2023/10/26/2023-23668/request-for-comment-on-software-identification-ecosystem-option-analysis","pdf_url":"https://www.govinfo.gov/content/pkg/FR-2023-10-26/pdf/2023-23668.pdf","public_inspection_pdf_url":"https://public-inspection.federalregister.gov/2023-23668.pdf?1698237987","publication_date":"2023-10-26","agencies":[{"raw_name":"DEPARTMENT OF HOMELAND SECURITY","name":"Homeland Security Department","id":227,"url":"https://www.federalregister.gov/agencies/homeland-security-department","json_url":"https://www.federalregister.gov/api/v1/agencies/227","parent_id":null,"slug":"homeland-security-department"}],"excerpts":" and broader, more effective use of <span class=\"match\">software</span> <span class=\"match\">bills</span> of <span class=\"match\">materials</span> (SBOMs). \n The two key requirements for an effective <span class=\"match\">software</span> identification ecosystem are: \n 1. Timely availability of <span class=\"match\">software</span> identifiers across all <span class=\"match\">software</span> items; and \n 2. <span class=\"match\">Software</span> identifiers that support both precise identification and grouping of <span class=\"match\">software</span> items. \n Key challenges for an effective <span class=\"match\">software</span> identification ecosystem are: (1) uniformly and deterministically generating or locating the identifier for an unknown piece of <span class=\"match\">software</span> (discoverability); (2) distributing"},{"title":"Request for Comments on Bolstering Data Center Growth, Resilience, and Security","type":"Notice","abstract":"The National Telecommunications and Information Administration (NTIA) hereby requests comments on the challenges surrounding data center growth, resilience and security in the United States amidst a surge of computing power demand due to the development of critical and emerging technologies. This request focuses on identifying opportunities for the U.S. government to improve data centers' market development, supply chain resilience, and data security. NTIA will rely on these comments, along with other public engagements on this topic, to draft and issue a public report capturing economic and security policy considerations and policy recommendations for fostering safe, secure, and sustainable data center growth.","document_number":"2024-19524","html_url":"https://www.federalregister.gov/documents/2024/09/04/2024-19524/request-for-comments-on-bolstering-data-center-growth-resilience-and-security","pdf_url":"https://www.govinfo.gov/content/pkg/FR-2024-09-04/pdf/2024-19524.pdf","public_inspection_pdf_url":"https://public-inspection.federalregister.gov/2024-19524.pdf?1725367514","publication_date":"2024-09-04","agencies":[{"raw_name":"DEPARTMENT OF COMMERCE","name":"Commerce Department","id":54,"url":"https://www.federalregister.gov/agencies/commerce-department","json_url":"https://www.federalregister.gov/api/v1/agencies/54","parent_id":null,"slug":"commerce-department"},{"raw_name":"National Telecommunications and Information Administration","name":"National Telecommunications and Information Administration","id":373,"url":"https://www.federalregister.gov/agencies/national-telecommunications-and-information-administration","json_url":"https://www.federalregister.gov/api/v1/agencies/373","parent_id":54,"slug":"national-telecommunications-and-information-administration"}],"excerpts":"data center models and architectures (\n e.g., \n edge computing, AI-enabled, <span class=\"match\">software</span>-defined infrastructure, or digital coherent optics)?\n \n d. How prevalent is the use of open-source <span class=\"match\">software</span> in critical IT/OT systems in data centers in the United States? What steps or processes are undertaken by data center operators to ensure the quality and security of the open-source <span class=\"match\">software</span>? \n e. Who are the major suppliers (both foreign and domestic) of data center hardware, <span class=\"match\">software</span>, and services? What can the U.S. government do to bolster smaller suppliers"},{"title":"Agency Information Collection Activities: Request for Comment on Secure Software Development Attestation Common Form","type":"Notice","abstract":"The Cyber Supply Chain Risk Management (C-SCRM) Program Management Office (PMO) within Cybersecurity and Infrastructure Security Agency (CISA) will submit the following information collection request (ICR) to the Office of Management and Budget (OMB) for review and clearance. CISA previously published this information collection request (ICR) in the Federal Register on April 27, 2023, for a 60-day public comment period. 110 comments were received by CISA. The purpose of this notice is to allow additional 30-days for public comments.","document_number":"2023-25251","html_url":"https://www.federalregister.gov/documents/2023/11/16/2023-25251/agency-information-collection-activities-request-for-comment-on-secure-software-development","pdf_url":"https://www.govinfo.gov/content/pkg/FR-2023-11-16/pdf/2023-25251.pdf","public_inspection_pdf_url":"https://public-inspection.federalregister.gov/2023-25251.pdf?1700055955","publication_date":"2023-11-16","agencies":[{"raw_name":"DEPARTMENT OF HOMELAND SECURITY","name":"Homeland Security Department","id":227,"url":"https://www.federalregister.gov/agencies/homeland-security-department","json_url":"https://www.federalregister.gov/api/v1/agencies/227","parent_id":null,"slug":"homeland-security-department"}],"excerpts":"list of <span class=\"match\">software</span> that requires self-attestation. \n • Edited the <span class=\"match\">software</span> products and components that are not in scope for M-22-18, as amended by M-23-16, and do not require self attestation to now read: \n 1. “<span class=\"match\">Software</span> developed by Federal agencies; \n 2. Open source <span class=\"match\">software</span> that is freely and directly obtained by a federal agency; or \n 3. <span class=\"match\">Software</span> that is freely obtained and publicly available.” \n This aligns with M-23-16. This changes is also reflected in the Form on page 8. \n \n • Under “Filling Out the Form,” added “When the <span class=\"match\">software</span> producer"},{"title":"Federal Acquisition Regulation: Cyber Threat and Incident Reporting and Information Sharing","type":"Proposed Rule","abstract":"DoD, GSA, and NASA are proposing to amend the Federal Acquisition Regulation (FAR) to partially implement an Executive order on cyber threats and incident reporting and information sharing for Federal contractors and to implement related cybersecurity policies.","document_number":"2023-21328","html_url":"https://www.federalregister.gov/documents/2023/10/03/2023-21328/federal-acquisition-regulation-cyber-threat-and-incident-reporting-and-information-sharing","pdf_url":"https://www.govinfo.gov/content/pkg/FR-2023-10-03/pdf/2023-21328.pdf","public_inspection_pdf_url":"https://public-inspection.federalregister.gov/2023-21328.pdf?1696250725","publication_date":"2023-10-03","agencies":[{"raw_name":"DEPARTMENT OF DEFENSE","name":"Defense Department","id":103,"url":"https://www.federalregister.gov/agencies/defense-department","json_url":"https://www.federalregister.gov/api/v1/agencies/103","parent_id":null,"slug":"defense-department"},{"raw_name":"GENERAL SERVICES ADMINISTRATION","name":"General Services Administration","id":210,"url":"https://www.federalregister.gov/agencies/general-services-administration","json_url":"https://www.federalregister.gov/api/v1/agencies/210","parent_id":null,"slug":"general-services-administration"},{"raw_name":"NATIONAL AERONAUTICS AND SPACE ADMINISTRATION","name":"National Aeronautics and Space Administration","id":301,"url":"https://www.federalregister.gov/agencies/national-aeronautics-and-space-administration","json_url":"https://www.federalregister.gov/api/v1/agencies/301","parent_id":null,"slug":"national-aeronautics-and-space-administration"}],"excerpts":"been shared.\n \n \n (3) \n <span class=\"match\">Software</span> <span class=\"match\">bill</span> of <span class=\"match\">materials</span> (SBOM). \n \n \n (i) The Contractor shall maintain, and upon the initial use of such <span class=\"match\">software</span> in the performance of this contract, provide or provide access to the Contracting Officer a current SBOM for each piece of computer <span class=\"match\">software</span> used in performance of the contract. Each SBOM shall be produced in a machine-readable, industry-standard format and shall comply with all of the minimum elements identified in Section IV of The Minimum Elements for a <span class=\"match\">Software</span> <span class=\"match\">Bill</span> of <span class=\"match\">Materials</span> (the current version at"},{"title":"Securing the Information and Communications Technology and Services Supply Chain: Connected Vehicles","type":"Proposed Rule","abstract":"In this advance notice of proposed rulemaking (ANPRM), the Department of Commerce's (Department) Bureau of Industry and Security (BIS) seeks public comment on issues and questions related to transactions involving information and communications technology and services (ICTS) that are designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of foreign countries or foreign non-government persons identified in the Department's regulations, pursuant to the Executive Order (E.O.) entitled \"Securing the Information and Communications Technology and Services Supply Chain,\" and that are integral to connected vehicles (CVs), as defined herein. This ANPRM will assist BIS in determining the technologies and market participants that may be most appropriate for regulation pursuant to the E.O.","document_number":"2024-04382","html_url":"https://www.federalregister.gov/documents/2024/03/01/2024-04382/securing-the-information-and-communications-technology-and-services-supply-chain-connected-vehicles","pdf_url":"https://www.govinfo.gov/content/pkg/FR-2024-03-01/pdf/2024-04382.pdf","public_inspection_pdf_url":"https://public-inspection.federalregister.gov/2024-04382.pdf?1709214331","publication_date":"2024-03-01","agencies":[{"raw_name":"DEPARTMENT OF COMMERCE","name":"Commerce Department","id":54,"url":"https://www.federalregister.gov/agencies/commerce-department","json_url":"https://www.federalregister.gov/api/v1/agencies/54","parent_id":null,"slug":"commerce-department"},{"raw_name":"Bureau of Industry and Security","name":"Industry and Security Bureau","id":241,"url":"https://www.federalregister.gov/agencies/industry-and-security-bureau","json_url":"https://www.federalregister.gov/api/v1/agencies/241","parent_id":54,"slug":"industry-and-security-bureau"}],"excerpts":"materials and <span class=\"match\">software</span> <span class=\"match\">bill</span> of <span class=\"match\">materials</span> as authentic for vendors and suppliers, specifically regarding OS, telematic systems, ADAS, Automated Driving Systems (ADS), satellite or cellular telecommunication systems, and BMS? If a <span class=\"match\">software</span> <span class=\"match\">bill</span> of <span class=\"match\">materials</span> is required, to what extent does it provide information regarding <span class=\"match\">software</span> vulnerabilities, and how is this information used, stored, and protected? \n 22. To what extent is <span class=\"match\">software</span> from vendors and suppliers tested and verified to comply with OEM requirements? \n 23. What vendor-vetting and supply"},{"title":"Agency Information Collection Activities: Request for Comment on Secure Software Development Attestation Common Form","type":"Notice","abstract":"In accordance with the requirements of the Paperwork Reduction Act (PRA) of 1995, the Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security (DHS), is soliciting public comment on a self-attestation form to be used by software producers in accordance with the Executive Order on Improving the Nation's Cybersecurity and the Office of Management and Budget's guidance in OMB M-22-18, Enhancing the Security of the Software Supply Chain through Secure Software Development Practices. In accordance with OMB M-22-18, Section III.C, CISA has agreed to serve as steward for this collection. After obtaining and considering public comment, CISA will prepare the submission requesting clearance of this collection as a Common Form to permit other agencies beyond DHS to use this form in order to streamline the information collection process in coordination with OMB.","document_number":"2023-08823","html_url":"https://www.federalregister.gov/documents/2023/04/27/2023-08823/agency-information-collection-activities-request-for-comment-on-secure-software-development","pdf_url":"https://www.govinfo.gov/content/pkg/FR-2023-04-27/pdf/2023-08823.pdf","public_inspection_pdf_url":"https://public-inspection.federalregister.gov/2023-08823.pdf?1682513119","publication_date":"2023-04-27","agencies":[{"raw_name":"DEPARTMENT OF HOMELAND SECURITY","name":"Homeland Security Department","id":227,"url":"https://www.federalregister.gov/agencies/homeland-security-department","json_url":"https://www.federalregister.gov/api/v1/agencies/227","parent_id":null,"slug":"homeland-security-department"}],"excerpts":"self-attestation from the <span class=\"match\">software</span> producer before using the <span class=\"match\">software</span>.” This requirement applies to new <span class=\"match\">software</span> developed after the date of memo issuance (September 14, 2022) as well as existing <span class=\"match\">software</span> that is modified by major version changes after the date of memo issuance. OMB M–22–18 brings into existence a new and sizeable conformity assessment community. The memorandum introduces conformity assessment expectations and activities for the supply chain starting with the <span class=\"match\">software</span> producer and ending with the federal agency putting the <span class=\"match\">software</span> in to use."},{"title":"Notice of Issuance of Final Determination Concerning Platform Software","type":"Notice","abstract":"This document provides notice that U.S. Customs and Border Protection (CBP) has issued a final determination concerning the country of origin of platform software. Based upon the facts presented, CBP has concluded that the last substantial transformation occurs in the United States.","document_number":"2025-09321","html_url":"https://www.federalregister.gov/documents/2025/05/23/2025-09321/notice-of-issuance-of-final-determination-concerning-platform-software","pdf_url":"https://www.govinfo.gov/content/pkg/FR-2025-05-23/pdf/2025-09321.pdf","public_inspection_pdf_url":"https://public-inspection.federalregister.gov/2025-09321.pdf?1747917920","publication_date":"2025-05-23","agencies":[{"raw_name":"DEPARTMENT OF HOMELAND SECURITY","name":"Homeland Security Department","id":227,"url":"https://www.federalregister.gov/agencies/homeland-security-department","json_url":"https://www.federalregister.gov/api/v1/agencies/227","parent_id":null,"slug":"homeland-security-department"},{"raw_name":"U.S. Customs and Border Protection","name":"U.S. Customs and Border Protection","id":501,"url":"https://www.federalregister.gov/agencies/u-s-customs-and-border-protection","json_url":"https://www.federalregister.gov/api/v1/agencies/501","parent_id":227,"slug":"u-s-customs-and-border-protection"}],"excerpts":"completion into finished <span class=\"match\">software</span> in the United States.\n \n \n CBP also held in another final determination, HQ H268858, dated Feb. 12, 2016, that conducting a <span class=\"match\">software</span> build resulted in a substantial transformation. In that decision, four <span class=\"match\">software</span> products were produced using a similar multi-stage process: (1) writing the source code in Malaysia; (2) compiling the source code into usable object code in the United States; and (3) installing the finished <span class=\"match\">software</span> on U.S.-origin discs in the United States. CBP held that all four <span class=\"match\">software</span> products were substantially"},{"title":"Medical Devices; Radiology Devices; Classification of the Radiological Computer-Assisted Detection and Diagnosis Software","type":"Rule","abstract":"The Food and Drug Administration (FDA, the Agency, or we) is classifying the radiological computer-assisted detection and diagnosis software into class II (special controls). The special controls that apply to the device type are identified in this order and will be part of the codified language for the radiological computer-assisted detection and diagnosis software's classification. We are taking this action because we have determined that classifying the device into class II (special controls) will provide a reasonable assurance of safety and effectiveness of the device. We believe this action will also enhance patients' access to beneficial innovative devices, in part by reducing regulatory burdens.","document_number":"2025-10789","html_url":"https://www.federalregister.gov/documents/2025/06/13/2025-10789/medical-devices-radiology-devices-classification-of-the-radiological-computer-assisted-detection-and","pdf_url":"https://www.govinfo.gov/content/pkg/FR-2025-06-13/pdf/2025-10789.pdf","public_inspection_pdf_url":"https://public-inspection.federalregister.gov/2025-10789.pdf?1749732317","publication_date":"2025-06-13","agencies":[{"raw_name":"DEPARTMENT OF HEALTH AND HUMAN SERVICES","name":"Health and Human Services Department","id":221,"url":"https://www.federalregister.gov/agencies/health-and-human-services-department","json_url":"https://www.federalregister.gov/api/v1/agencies/221","parent_id":null,"slug":"health-and-human-services-department"},{"raw_name":"Food and Drug Administration","name":"Food and Drug Administration","id":199,"url":"https://www.federalregister.gov/agencies/food-and-drug-administration","json_url":"https://www.federalregister.gov/api/v1/agencies/199","parent_id":221,"slug":"food-and-drug-administration"}],"excerpts":"plot, sensitivity, specificity, positive and negative predictive values, and diagnostic likelihood ratio). Test datasets must meet the requirements described in paragraph (b)(1)(iii) of this section.\n \n (v) Appropriate <span class=\"match\">software</span> documentation, including device hazard analysis, <span class=\"match\">software</span> requirements specification document, <span class=\"match\">software</span> design specification document, traceability analysis, system level test protocol, pass/fail criteria, testing results, and cybersecurity measures. \n (2) Labeling must include the following: \n (i) A detailed description"},{"title":"Securing the Information and Communications Technology and Services Supply Chain: Connected Vehicles","type":"Rule","abstract":"This final rule, published by the Department of Commerce's (Department) Bureau of Industry and Security (BIS), sets forth regulations and procedures to address undue or unacceptable risks to national security and U.S. persons posed by classes of transactions involving information and communications technology and services (ICTS) that are designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of certain foreign adversaries and that are integral to connected vehicles as defined herein.","document_number":"2025-00592","html_url":"https://www.federalregister.gov/documents/2025/01/16/2025-00592/securing-the-information-and-communications-technology-and-services-supply-chain-connected-vehicles","pdf_url":"https://www.govinfo.gov/content/pkg/FR-2025-01-16/pdf/2025-00592.pdf","public_inspection_pdf_url":"https://public-inspection.federalregister.gov/2025-00592.pdf?1736862326","publication_date":"2025-01-16","agencies":[{"raw_name":"DEPARTMENT OF COMMERCE","name":"Commerce Department","id":54,"url":"https://www.federalregister.gov/agencies/commerce-department","json_url":"https://www.federalregister.gov/api/v1/agencies/54","parent_id":null,"slug":"commerce-department"},{"raw_name":"Bureau of Industry and Security","name":"Industry and Security Bureau","id":241,"url":"https://www.federalregister.gov/agencies/industry-and-security-bureau","json_url":"https://www.federalregister.gov/api/v1/agencies/241","parent_id":54,"slug":"industry-and-security-bureau"}],"excerpts":"regarding how covered <span class=\"match\">software</span> applies to the <span class=\"match\">software</span> stack for VCS and ADS. Common feedback urged BIS to define <span class=\"match\">software</span>-based components that fall in and out of scope of the regulation, such as application, firmware, middleware, and system <span class=\"match\">software</span>. Commenters also encouraged BIS to provide a definition of these layers of <span class=\"match\">software</span>, particularly emphasizing that a definition was needed for firmware. Commenters advocated for the exclusion of embedded <span class=\"match\">software</span> (\n e.g., \n middleware and system <span class=\"match\">software</span>) because the application <span class=\"match\">software</span> more directly facilitates"},{"title":"Public Listening Sessions on Advancing SBOM Technology, Processes, and Practices","type":"Notice","abstract":"The Cybersecurity and Infrastructure Security Agency will facilitate a series of public listening sessions to build on existing community-led work around Software Bill of Materials (\"SBOM\") on specific SBOM topics.","document_number":"2022-11733","html_url":"https://www.federalregister.gov/documents/2022/06/01/2022-11733/public-listening-sessions-on-advancing-sbom-technology-processes-and-practices","pdf_url":"https://www.govinfo.gov/content/pkg/FR-2022-06-01/pdf/2022-11733.pdf","public_inspection_pdf_url":"https://public-inspection.federalregister.gov/2022-11733.pdf?1654001133","publication_date":"2022-06-01","agencies":[{"raw_name":"DEPARTMENT OF HOMELAND SECURITY","name":"Homeland Security Department","id":227,"url":"https://www.federalregister.gov/agencies/homeland-security-department","json_url":"https://www.federalregister.gov/api/v1/agencies/227","parent_id":null,"slug":"homeland-security-department"}],"excerpts":"advance the <span class=\"match\">software</span> and security communities' understanding of SBOM creation, use, and implementation across the broader technology ecosystem.\n \n \n \n 2 \n  \n Id. \n at 10(j), 86 FR 26633 at 26646 (May 17, 2021).\n \n \n \n \n 3 \n  Ibid.\n \n \n \n \n 4 \n  Ibid.\n \n \n I. SBOM Background \n \n The idea of a <span class=\"match\">software</span> <span class=\"match\">bill</span> of <span class=\"match\">materials</span> is not novel.\n 5 \n \n It has been discussed and explored in the <span class=\"match\">software</span> industry for many years, building on innovation from industrial and supply chain work.\n 6 \n \n Academics identified the potential value of a “<span class=\"match\">software</span> <span class=\"match\">bill</span> of materials”"},{"title":"Securing the Information and Communications Technology and Services Supply Chain: Connected Vehicles","type":"Proposed Rule","abstract":"In this notice of proposed rulemaking (NPRM), the Department of Commerce's (Department) Bureau of Industry and Security (BIS) proposes a rule to address undue or unacceptable risks to national security and U.S. persons posed by classes of transactions involving information and communications technology and services (ICTS) that are designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of certain foreign adversaries, and which are integral to connected vehicles, as defined herein. BIS is soliciting comment on this proposed rule, which builds on the advance notice of proposed rulemaking (ANPRM) issued by BIS on March 1, 2024.","document_number":"2024-21903","html_url":"https://www.federalregister.gov/documents/2024/09/26/2024-21903/securing-the-information-and-communications-technology-and-services-supply-chain-connected-vehicles","pdf_url":"https://www.govinfo.gov/content/pkg/FR-2024-09-26/pdf/2024-21903.pdf","public_inspection_pdf_url":"https://public-inspection.federalregister.gov/2024-21903.pdf?1727205730","publication_date":"2024-09-26","agencies":[{"raw_name":"DEPARTMENT OF COMMERCE","name":"Commerce Department","id":54,"url":"https://www.federalregister.gov/agencies/commerce-department","json_url":"https://www.federalregister.gov/api/v1/agencies/54","parent_id":null,"slug":"commerce-department"},{"raw_name":"Bureau of Industry and Security","name":"Industry and Security Bureau","id":241,"url":"https://www.federalregister.gov/agencies/industry-and-security-bureau","json_url":"https://www.federalregister.gov/api/v1/agencies/241","parent_id":54,"slug":"industry-and-security-bureau"}],"excerpts":"ultimate purchaser. \n 16. <span class=\"match\">Software</span> <span class=\"match\">Bill</span> of <span class=\"match\">Materials</span> \n BIS proposes to define “<span class=\"match\">Software</span> <span class=\"match\">Bill</span> of <span class=\"match\">Materials</span>” or SBOM as a formal and dynamic, machine-readable inventory detailing the <span class=\"match\">software</span> supply chain relationships between <span class=\"match\">software</span> components and subcomponents, including <span class=\"match\">software</span> dependencies, hierarchical relationships, and baseline <span class=\"match\">software</span> attributes, including author's name, timestamp, supplier name, component name, version string, component hash, package URL, unique identifier, and dependency relationships to other <span class=\"match\">software</span> components. \n BIS understands"},{"title":"General and Plastic Surgery Devices; Reclassification of Optical Diagnostic Devices for Melanoma Detection and Electrical Impedance Spectrometers, To Be Renamed Software-Aided Adjunctive Diagnostic Devices for Use on Skin Lesions by Physicians Trained in the Diagnosis and Management of Skin Cancer","type":"Rule","abstract":"The Food and Drug Administration (FDA) is issuing a final order reclassifying optical diagnostic devices for melanoma detection (product code OYD) and electrical impedance spectrometers (product code ONV), both postamendments class III device types, into class II (special controls), subject to premarket notification. FDA is also renaming and codifying these devices under the new classification regulation named \"software-aided adjunctive diagnostic devices for use on skin lesions by physicians trained in the diagnosis and management of skin cancer.\" FDA is also establishing the special controls necessary to provide a reasonable assurance of safety and effectiveness of these devices.","document_number":"2026-05772","html_url":"https://www.federalregister.gov/documents/2026/03/25/2026-05772/general-and-plastic-surgery-devices-reclassification-of-optical-diagnostic-devices-for-melanoma","pdf_url":"https://www.govinfo.gov/content/pkg/FR-2026-03-25/pdf/2026-05772.pdf","public_inspection_pdf_url":"https://public-inspection.federalregister.gov/2026-05772.pdf?1774356312","publication_date":"2026-03-25","agencies":[{"raw_name":"DEPARTMENT OF HEALTH AND HUMAN SERVICES","name":"Health and Human Services Department","id":221,"url":"https://www.federalregister.gov/agencies/health-and-human-services-department","json_url":"https://www.federalregister.gov/api/v1/agencies/221","parent_id":null,"slug":"health-and-human-services-department"},{"raw_name":"Food and Drug Administration","name":"Food and Drug Administration","id":199,"url":"https://www.federalregister.gov/agencies/food-and-drug-administration","json_url":"https://www.federalregister.gov/api/v1/agencies/199","parent_id":221,"slug":"food-and-drug-administration"}],"excerpts":"(see 21 CFR part 820).\n \n FDA agrees that some changes to device <span class=\"match\">software</span> or hardware may require new clinical data, which may require premarket review within the context of a new premarket submission. \n (Comment 9) Several comments expressed concerns related to layperson use of mobile phone-based <span class=\"match\">software</span> applications intended to provide information about or diagnose skin lesions. Commenters stated that these devices have different risks and may have greater risks than the <span class=\"match\">software</span>-aided adjunctive diagnostic devices for use on skin lesions by physicians"},{"title":"New Jersey Transit's Request To Amend Its Positive Train Control Safety Plan and Positive Train Control System","type":"Notice","abstract":"This document provides the public with notice that, on June 22, 2026, New Jersey Transit (NJT) submitted a request for amendment (RFA) to its FRA-approved Positive Train Control Safety Plan (PTCSP), seeking approval to update its Advanced Civil Speed Enforcement System II (ACSES) positive train control (PTC) system's main onboard software with a new software release, known as Back-to-Back (also referred to as B2B or Rev 7). As this RFA involves a request for FRA's approval of proposed material modifications to an FRA-certified PTC system, FRA is publishing this notice and inviting public comment on NJT's RFA to its PTCSP.","document_number":"2026-13184","html_url":"https://www.federalregister.gov/documents/2026/06/30/2026-13184/new-jersey-transits-request-to-amend-its-positive-train-control-safety-plan-and-positive-train","pdf_url":"https://www.govinfo.gov/content/pkg/FR-2026-06-30/pdf/2026-13184.pdf","public_inspection_pdf_url":"https://public-inspection.federalregister.gov/2026-13184.pdf?1782737119","publication_date":"2026-06-30","agencies":[{"raw_name":"DEPARTMENT OF TRANSPORTATION","name":"Transportation Department","id":492,"url":"https://www.federalregister.gov/agencies/transportation-department","json_url":"https://www.federalregister.gov/api/v1/agencies/492","parent_id":null,"slug":"transportation-department"},{"raw_name":"Federal Railroad Administration","name":"Federal Railroad Administration","id":185,"url":"https://www.federalregister.gov/agencies/federal-railroad-administration","json_url":"https://www.federalregister.gov/api/v1/agencies/185","parent_id":492,"slug":"federal-railroad-administration"}],"excerpts":"its FRA-approved Positive Train Control Safety Plan (PTCSP), seeking approval to update its Advanced Civil Speed Enforcement System II (ACSES) positive train control (PTC) system's main onboard <span class=\"match\">software</span> with a new <span class=\"match\">software</span> release, known as Back-to-Back (also referred to as B2B or Rev 7). As this RFA involves a request for FRA's approval of proposed <span class=\"match\">material</span> modifications to an FRA-certified PTC system, FRA is publishing this notice and inviting public comment on NJT's RFA to its PTCSP. \n \n \n DATES: \n FRA will consider comments received by July 20"},{"title":"Port Authority Trans-Hudson's Request To Amend Its Positive Train Control Safety Plan and Positive Train Control System","type":"Notice","abstract":"This document provides the public with notice that, on February 10, 2025, Port Authority Trans-Hudson (PATH) submitted a request for amendment (RFA) to its FRA-approved Positive Train Control Safety Plan (PTCSP) to request approval to install an updated software version V3.5.121, which includes Zone Controller (ZC) software, a ZC database, Automatic Train Supervision (ATS) software, and a Carborne Controller (CC) software update. As this RFA involves a request for FRA's approval of proposed material modifications to an FRA-certified positive train control (PTC) system, FRA is publishing this notice and inviting public comment on PATH's RFA to its PTCSP.","document_number":"2025-03330","html_url":"https://www.federalregister.gov/documents/2025/03/03/2025-03330/port-authority-trans-hudsons-request-to-amend-its-positive-train-control-safety-plan-and-positive","pdf_url":"https://www.govinfo.gov/content/pkg/FR-2025-03-03/pdf/2025-03330.pdf","public_inspection_pdf_url":"https://public-inspection.federalregister.gov/2025-03330.pdf?1740750308","publication_date":"2025-03-03","agencies":[{"raw_name":"DEPARTMENT OF TRANSPORTATION","name":"Transportation Department","id":492,"url":"https://www.federalregister.gov/agencies/transportation-department","json_url":"https://www.federalregister.gov/api/v1/agencies/492","parent_id":null,"slug":"transportation-department"},{"raw_name":"Federal Railroad Administration","name":"Federal Railroad Administration","id":185,"url":"https://www.federalregister.gov/agencies/federal-railroad-administration","json_url":"https://www.federalregister.gov/api/v1/agencies/185","parent_id":492,"slug":"federal-railroad-administration"}],"excerpts":"(PATH) submitted a request for amendment (RFA) to its FRA-approved Positive Train Control Safety Plan (PTCSP) to request approval to install an updated <span class=\"match\">software</span> version V3.5.121, which includes Zone Controller (ZC) <span class=\"match\">software</span>, a ZC database, Automatic Train Supervision (ATS) <span class=\"match\">software</span>, and a Carborne Controller (CC) <span class=\"match\">software</span> update. As this RFA involves a request for FRA's approval of proposed <span class=\"match\">material</span> modifications to an FRA-certified positive train control (PTC) system, FRA is publishing this notice and inviting public comment on PATH's RFA to its"},{"title":"Public Safety and Homeland Security Bureau Requests Comment on Implementation of the Cybersecurity Labeling for Internet of Things Program","type":"Proposed Rule","abstract":"In this document, the Federal Communications Commission (Commission or FCC) seeks comment on additional items to further the efficient and timely rollout of the IoT Labeling program. These items include the format of Cybersecurity Label Administrator (CLA) and Lead Administrator applications; filing fees for CLA applications; criteria for selecting CLAs and the Lead Administrator; CLA sharing of Lead Administrator expenses; Lead Administrator neutrality; processes for withdrawal of CLA and Lead Administrator approvals; recognition of CyberLABs outside the United States; complaint processes; confidentiality and security requirements; and the IoT registry.","document_number":"2024-15379","html_url":"https://www.federalregister.gov/documents/2024/07/18/2024-15379/public-safety-and-homeland-security-bureau-requests-comment-on-implementation-of-the-cybersecurity","pdf_url":"https://www.govinfo.gov/content/pkg/FR-2024-07-18/pdf/2024-15379.pdf","public_inspection_pdf_url":"https://public-inspection.federalregister.gov/2024-15379.pdf?1721220316","publication_date":"2024-07-18","agencies":[{"raw_name":"FEDERAL COMMUNICATIONS COMMISSION","name":"Federal Communications Commission","id":161,"url":"https://www.federalregister.gov/agencies/federal-communications-commission","json_url":"https://www.federalregister.gov/api/v1/agencies/161","parent_id":null,"slug":"federal-communications-commission"}],"excerpts":"contact information for the CLA and CyberLAB, instructions on how to change the default password, information on how to configure the device securely, information as to whether <span class=\"match\">software</span> updates are automatic and how to access updates if not, the minimum support period, and whether the manufacturer maintains a Hardware <span class=\"match\">Bill</span> of <span class=\"match\">Materials</span> (HBOM) and/or a <span class=\"match\">Software</span> <span class=\"match\">Bill</span> of <span class=\"match\">Materials</span> (SBOM).\n \n \n \n \n 15 \n  Regarding whether to disclose whether data is shared with third parties, commenters should consider security/privacy issues and if data should be replicated;"},{"title":"Increasing Market and Planning Efficiency Through Improved Software; Supplemental Notice of Technical Conference on Increasing Market and Planning Efficiency Through Improved Software","type":"Notice","abstract":null,"document_number":"2026-11605","html_url":"https://www.federalregister.gov/documents/2026/06/10/2026-11605/increasing-market-and-planning-efficiency-through-improved-software-supplemental-notice-of-technical","pdf_url":"https://www.govinfo.gov/content/pkg/FR-2026-06-10/pdf/2026-11605.pdf","public_inspection_pdf_url":"https://public-inspection.federalregister.gov/2026-11605.pdf?1781009112","publication_date":"2026-06-10","agencies":[{"raw_name":"DEPARTMENT OF ENERGY","name":"Energy Department","id":136,"url":"https://www.federalregister.gov/agencies/energy-department","json_url":"https://www.federalregister.gov/api/v1/agencies/136","parent_id":null,"slug":"energy-department"},{"raw_name":"Federal Energy Regulatory Commission","name":"Federal Energy Regulatory Commission","id":167,"url":"https://www.federalregister.gov/agencies/federal-energy-regulatory-commission","json_url":"https://www.federalregister.gov/api/v1/agencies/167","parent_id":136,"slug":"federal-energy-regulatory-commission"}],"excerpts":"Technical Conference issued in this proceeding on March 4, 2026, Commission staff will convene a technical conference on July 7 and 8, 2026 to discuss grid-enhancing technologies, load forecasting, and opportunities for increasing market and planning efficiency through improved <span class=\"match\">software</span>. This Supplemental Notice provides an initial agenda for the technical conference, which includes panel discussions addressing grid-enhancing technologies and load forecasting on the first day, July 7, and individual presentations on cutting edge research topics the second"}]}