United States · reference standard

The floor every SBOM must clear

Published under a US executive order, the NTIA minimum elements are the common answer to "what counts as an SBOM": required data fields, machine-readable formats, and the practices around producing them. Customers and regulators worldwide borrowed it as their baseline.

Who this applies to Anyone producing or consuming SBOMs: the minimum elements are the shared floor buyers, regulators, and tooling agree on.
What it asks for
Data fields
Supplier, component name, version, unique identifiers, dependency relationships, SBOM author, and timestamp for every component.
Automation support
Machine-readable generation and consumption in accepted formats such as CycloneDX or SPDX.
Practices and processes
Frequency, depth, distribution, access, and honest handling of known-unknowns.
How SecuNexa and BOMNexa map to it
Data fields
SecuDep resolves the full dependency graph with identifiers and relationships; generation metadata and timestamps are stamped in every document.
Automation support
CycloneDX 1.6 output, produced automatically per build in CI, consumable by any compliant tool.
Known-unknowns
Unresolved components are explicitly declared rather than omitted, which the minimum elements specifically call for and most tools skip.

Tools do not make you compliant; they make compliance provable. SecuNexa and BOMNexa supply the technical evidence described on this page. Governance, process, and legal interpretation belong to your compliance function, and this page is not legal advice.

Frequently asked questions
Is meeting the minimum elements enough?

It is the floor, not the target. Regulations like the EU CRA and FDA guidance build on it with support-status, vulnerability linkage, and lifecycle expectations, all of which the platform’s BOM outputs already carry.

Depth: top-level or full tree?

The minimum elements require at least top-level dependencies with known-unknowns declared. SecuNexa SBOMs carry the complete transitive graph, which future-proofs you against the direction every framework is moving.

Walk through your NTIA minimum elements for SBOM evidence gaps with us, live.
Request a demo