Army set to require SBOMs for new software by early next year

By next February — and possibly sooner — the Army expects to have new rules in place that will require detailed ingredient lists for virtually all of the new software the service buys or builds.

After nearly two years of gathering feedback from industry, Doug Bush, the Army’s top acquisition official, signed a memo that orders the service’s procurement community to begin incorporating software bills of materials (SBOMs) into most new contracts that involve software.

The directive gives the Army 90 days to develop implementation guidance for SBOMs, including sample language for requiring them in contracts. Once that’s done, individual program offices will have another 90 days before they’ll have to add those requirements, including for subcontractors.

“The government has a shared responsibility to manage [supply chain risk],” Bush, the assistant secretary of the Army for acquisition, logistics and technology wrote in the Aug. 16 memo. “Software is a subset of [supply chain risk management, and SCRM is to be conducted on systems throughout their lifecycle. Army Directive 2024-02 emphasizes the Army’s reliance on software and the importance of understanding the risks systems can introduce to a network and how to mitigate those risks to the greatest extent possible.”

Cloud services exempt from new SBOM requirement

The new policy does include one big carve-out: contracting officers won’t have to insist on SBOMs for cloud services, at least not “at this time”. But for most other software — ranging from new development work at the government’s expense to purely commercial-off-the-shelf and open source software, SBOMs will be mandatory.

The new memo is the Army’s answer to the portion of President Biden’s voluminous 2021 executive order on cybersecurity that dealt specifically with software supply chains, and a later Office of Management and Budget mandate that told agencies to shore up the security of their software development practices.

The service first began gathering input from industry on how to implement SBOMs in September 2022, via a request for information. The RFI asked vendors, among other things, to describe their own practices for identifying vulnerabilities in their software supply chains, whether they currently use SBOMs themselves, and what the most efficient ways to make sure government customers are informed about supply chain risks.

“We’ve worked through it, and more than 90 percent of the people in industry are much better aligned with SBOMs — they’re not necessarily aligned with the software attestations that the federal government is pushing,” Young Bang, Bush’s principal deputy told attendees at AFCEA’s TechNet conference in Augusta, Georgia last month.”

BOMs favored over attestations

Although the Defense Department has made no major moves to implement software attestations — another method for gaining supply chain assurance — the Office of Management and Budget and Cybersecurity Infrastructure Security Agency have been pressing agencies to adopt the methodology. This summer, CISA released the final version of a new form third-party vendors will use to self-certify that their products meet minimum security requirements under the government’s Secure Software Development Framework.

For its part, the Army favors the bill of materials approach, and has been looking to expand it beyond traditional software development. Last December, the service issued a request for information on a potential BOM for AI algorithms for its Project Linchpin, but didn’t move ahead with a formal AI BOM policy.

Bang said the Army does intend to move ahead with new BOM requirements for data, however, and that a data BOM policy should be published some time in fiscal 2025.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.