The Army's software contracts will soon require vendors to provide bills of materials. The new policy applies to almost all software, except for cloud services.
By next February — and possibly sooner — the Army expects to have new rules in place that will require detailed ingredient lists for virtually all of the new software the service buys or builds.
After nearly two years of gathering feedback from industry, Doug Bush, the Army’s top acquisition official, signed a memo that orders the service’s procurement community to begin incorporating software bills of materials (SBOMs) into most new contracts that involve software.
The directive gives the Army 90 days to develop implementation guidance for SBOMs, including sample language for requiring them in contracts. Once that’s done, individual program offices will have another 90 days before they’ll have to add those requirements, including for subcontractors.
“The government has a shared responsibility to manage [supply chain risk],” Bush, the assistant secretary of the Army for acquisition, logistics and technology wrote in the Aug. 16 memo. “Software is a subset of [supply chain risk management, and SCRM is to be conducted on systems throughout their lifecycle. Army Directive 2024-02 emphasizes the Army’s reliance on software and the importance of understanding the risks systems can introduce to a network and how to mitigate those risks to the greatest extent possible.”
The new policy does include one big carve-out: contracting officers won’t have to insist on SBOMs for cloud services, at least not “at this time”. But for most other software — ranging from new development work at the government’s expense to purely commercial-off-the-shelf and open source software, SBOMs will be mandatory.
The new memo is the Army’s answer to the portion of President Biden’s voluminous 2021 executive order on cybersecurity that dealt specifically with software supply chains, and a later Office of Management and Budget mandate that told agencies to shore up the security of their software development practices.
The service first began gathering input from industry on how to implement SBOMs in September 2022, via a request for information. The RFI asked vendors, among other things, to describe their own practices for identifying vulnerabilities in their software supply chains, whether they currently use SBOMs themselves, and what the most efficient ways to make sure government customers are informed about supply chain risks.
“We’ve worked through it, and more than 90 percent of the people in industry are much better aligned with SBOMs — they’re not necessarily aligned with the software attestations that the federal government is pushing,” Young Bang, Bush’s principal deputy told attendees at AFCEA’s TechNet conference in Augusta, Georgia last month.”
Although the Defense Department has made no major moves to implement software attestations — another method for gaining supply chain assurance — the Office of Management and Budget and Cybersecurity Infrastructure Security Agency have been pressing agencies to adopt the methodology. This summer, CISA released the final version of a new form third-party vendors will use to self-certify that their products meet minimum security requirements under the government’s Secure Software Development Framework.
For its part, the Army favors the bill of materials approach, and has been looking to expand it beyond traditional software development.
Last December, the service issued a request for information on a potential forthcoming BOM for AI algorithms under its Project Linchpin, but opted against moving ahead with a formal AI BOM policy.
Instead, the Army is looking to adopt a more simplified model card approach that’s already widely accepted in the AI development community. Those cards describe the processes that were used to generate AI models in human-readable language, and usually include at least some information about any other previous AI work the developers relied on.
Bang said the Army expects to release a policy governing that approach — what the Army, somewhat uniquely, calls “summary cards,” sometime in fiscal 2025.
Meanwhile though, the service is moving ahead with the more prescriptive BOM approach to data, though officials have not fully described what that would look like. Bang said, however, that Army officials also expect a data BOM policy to be published sometime in fiscal 2025.
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Jared Serbu is deputy editor of Federal News Network and reports on the Defense Department’s contracting, legislative, workforce and IT issues.
Follow @jserbuWFED