Army set to require SBOMs for new software by early next year

The Army's software contracts will soon require vendors to provide bills of materials. The new policy applies to almost all software, except for cloud services.

By next February — and possibly sooner — the Army expects to have new rules in place that will require detailed ingredient lists for virtually all of the new software the service buys or builds.

After nearly two years of gathering feedback from industry, Doug Bush, the Army’s top acquisition official, signed a memo that orders the service’s procurement community to begin incorporating software bills of materials (SBOMs) into most new contracts that involve software.

The directive gives the Army 90 days to develop implementation guidance for SBOMs, including sample language for requiring them in contracts. Once that’s done, individual program offices will have another 90 days before they’ll have to add those requirements, including for subcontractors.

“The government has a shared responsibility to manage [supply chain risk],” Bush, the assistant secretary of the Army for acquisition, logistics and technology wrote in the Aug. 16 memo. “Software is a subset of [supply chain risk management, and SCRM is to be conducted on systems throughout their lifecycle. Army Directive 2024-02 emphasizes the Army’s reliance on software and the importance of understanding the risks systems can introduce to a network and how to mitigate those risks to the greatest extent possible.”

Cloud services exempt from new SBOM requirement

The new policy does include one big carve-out: contracting officers won’t have to insist on SBOMs for cloud services, at least not “at this time”. But for most other software — ranging from new development work at the government’s expense to purely commercial-off-the-shelf and open source software, SBOMs will be mandatory.

The new memo is the Army’s answer to the portion of President Biden’s voluminous 2021 executive order on cybersecurity that dealt specifically with software supply chains, and a later Office of Management and Budget mandate that told agencies to shore up the security of their software development practices.

The service first began gathering input from industry on how to implement SBOMs in September 2022, via a request for information. The RFI asked vendors, among other things, to describe their own practices for identifying vulnerabilities in their software supply chains, whether they currently use SBOMs themselves, and what the most efficient ways to make sure government customers are informed about supply chain risks.

“We’ve worked through it, and more than 90 percent of the people in industry are much better aligned with SBOMs — they’re not necessarily aligned with the software attestations that the federal government is pushing,” Young Bang, Bush’s principal deputy told attendees at AFCEA’s TechNet conference in Augusta, Georgia last month.”

BOMs favored over attestations

Although the Defense Department has made no major moves to implement software attestations — another method for gaining supply chain assurance — the Office of Management and Budget and Cybersecurity Infrastructure Security Agency have been pressing agencies to adopt the methodology. This summer, CISA released the final version of a new form third-party vendors will use to self-certify that their products meet minimum security requirements under the government’s Secure Software Development Framework.

For its part, the Army favors the bill of materials approach, and has been looking to expand it beyond traditional software development.

Last December, the service issued a request for information on a potential forthcoming BOM for AI algorithms under its Project Linchpin, but opted against moving ahead with a formal AI BOM policy.

Instead, the Army is looking to adopt a more simplified model card approach that’s already widely accepted in the AI development community. Those cards describe the processes that were used to generate AI models in human-readable language, and usually include at least some information about any other previous AI work the developers relied on.

Bang said the Army expects to release a policy governing that approach — what the Army, somewhat uniquely,  calls “summary cards,” sometime in fiscal 2025.

Meanwhile though, the service is moving ahead with the more prescriptive BOM approach to data, though officials have not fully described what that would look like. Bang said, however, that Army officials also expect a data BOM policy to be published sometime in fiscal 2025.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories

    Getty Images/EyeEm Mobile GmbHMidsection Of Man Wearing Military Uniform

    How the Army is bolstering its recruitment and retention efforts

    Read more
    JEDI

    Army makes more IT organization changes in pursuit of unified network

    Read more
    defense budget

    How the Army uses prize competitions to boost its small business innovation program

    Read more