How DHS encourages software startups to remember their bills of material

If you buy or approve the acquisition of software for the government, you probably already know. You’re going to have to deal with something called a software bill of materials, or S-BOM as part of understanding what you’re getting. Now the Science and Technology Directorate of the Homeland Security Department is aiming to help with the whole software provenance and supply chain issues. It’s calling the Silicon Valley Innovation Program. The Federal Drive with Tom Temin spoke with the program technical director, Anil John.

Interview transcript:

Tom Temin Tell us what this program is all about. It. You’re partnering across government here, other parts of [Department of Homeland Security (DHS)], and what are you trying to accomplish?

Anil John Sure. The Silicon Valley Innovation Program was stood up about six or seven years ago, because the department knew that it was having trouble reaching technology and start talent from the startup community. Not just in the U.S., but globally as well. So we are a program that was stood up in order to find global technology and talent from the startup community to solve the problems of the department. And in this particular area, we are partnering with, obviously, one of the components of our DHS, [Cybersecurity and Infrastructure Security Agency (CISA)], in order to sort of help the ecosystem in providing visibility to software supply chain in general, across a wide variety of areas.

Tom Temin And you’re looking for people to hire into the government? Or to just do research for the government, to help it understand these issues of supply chain and software?

Anil John We are actually not, even though we are part of the S&T Directorate within our DHS. SVIP tends to be more on the shaping up product side rather than pure R&D. So the projects that we are involved in, which we call the software supply chain Visibility Tools Project, is very much about shaping commercial products in order to meet the needs of government and the broader industry in general. Such that it is available not just to DHS, but also to the broader market in order to leverage as well. In that area, as you noted, it tends to be very much about putting into place contracts with startup companies in order to shape their products, in order to build capabilities that can be used by government agencies. And it is not about hiring people.

Tom Temin And what are some of the qualitative or quantitative differences in how the government would need to have software supply chain visibility versus what industry might need?

Anil John Our thesis here is that it should not be different. We all source software from the same place. The broader market that exists around software, we all use commercial software. Whether you’re in the private sector or in government. So what is really, really important for us is to make sure that software, whether it is using open source components, closed source components and things like that, are built in a manner that provides visibility and transparency into it. So I don’t consider the way that software is used within government to be any different than where a way that it would be used in a Fortune 500 or in a mid-sized or a small sized company.

Tom Temin Because there are so many companies developing software. That’s what startups basically do in Silicon Valley nowadays, they don’t develop new silicon. Are you trying to generally reach them all with some point of reference? How do you get at the breadth of what’s happening in software?

Anil John For sure, so that sort of leads directly to what we articulated in partnership with CISA into the community and what we are looking for here. Right. And I think, the broad umbrella is very much about providing visibility into the software supply chain components. But we sort of broke it up into a variety of what we call technical topic areas. We fully believe that there needed to be some foundational open source work that needed to be done in order to provide translations between different representations of Islam. I think everybody uses the term S-BOM, but within the software development community itself, there are multiple ways of how to create an S-BOM. So we wanted to make sure that we funded some work that basically created a foundational open source library, that provided translations across multiple S-BOM formats that could be used by the government, used by the private sector, and used by anybody that wants to leverage that. And building on top of that, we actually wanted to have the companies build capabilities across the entire software development lifecycle. So how do you sort of integrate S-BOM directly into the build pipeline? Whether it is integrating into the continuous integration pipeline that a company might have in order to build software, whether it is integrating into the the software code repositories that are out there, then moving into ensuring that if you are an organization that’s consuming that. How do you sort of tie what the software components are to potential vulnerabilities that currently exist? So providing some sort of visualization that brings those two together. And those are, again, some of the technical topic areas. But even more than that, we are a program and in partnership with CISA, we were not interested in admiring the problem any further. We actually wanted to provide capability, for example, that developers who work in software IDs. They had the ability to directly ingest this capability directly to them. So there is a workstream that is focused on that. And last but not least, if you’re an administrator within an organization. One of the software components that you use is [Security Information Event Management (SIEM)] software. So how do you integrate S-BOM visibility and vulnerability visibility directly to them? So those are all, I would say, workstreams that we put out in the solicitation on what we want capabilities for.

Tom Temin Ok. And just define SIEM for us one more time.

Anil John So SIEM is, Security Information Event Management. This tends to be more, not developer centric, but more administrator centric in an IT department. So we wanted integration with that type of capability for providing visibility for both vulnerabilities and S-BOM information to that particular segment of the audience as well.

Tom Temin And tell us how the program works. What do you actually do to inculcate this type of thinking of developing open source S-BOM organically as you develop programs? How do you get that word out and ask people to actually do it?

Anil John Sure. The SVIP program actually works in four phases. Phase one tends to be, we’ve all met companies and people who have beautiful resumes who couldn’t ship anything if their life depended on it. So phase one for us is basically the ability to put into place multiple contracts, with multiple companies, simultaneously, not to solve the same problem, to understand who can actually walk the talk, who can actually deliver a capability itself. Then if they are able to show us their approach to solving the problem, show us a minimum viable product that actually has a clear understanding of their approach to solving a problem. We invite them to a next phase where the full capability is built out at that point in time. So this is capabilities, obviously,  contributing to the open source piece, contributing to building the integration with IDIS visibility tools, SIEM products and the like, and that is phase two. And if that goes well, because we tend to be not a research program, but a program that shapes products for operational deployment into the environment.

Anil John In phase three, I throw our red team at them. So this is for security and privacy evaluation of what they have built. It could be, in this particular case, we fully expect to do a full end to end code review of the open source components themselves. But companies are building on top of the open source components, which products that they want to set into the marketplace. We will, obviously, as under NDA ,test their products as well, because it gives them confidence when they go and sell this. Then last but not least, is in a phase four of the SVIP program are operational components within the department had the ability to test that product in an operational setting. And at the end of it, two things happened. One of them is the product becomes ready, a real skew of the product becomes already in the market, such that we can buy it or anybody in the market can buy it. DHS in particular, has the ability to directly acquire that technology from that company at that point in time as well.

Tom Temin Because I was going to ask, what’s the incentive for them to do what the Science and Technology Directorate of Homeland Security and CISA would like them to do? Because I would think, you got to be interested in buying it, for one thing. Because they could say, well, golly, this is a commercial product. Government’s going to be 5% of my business, but 50% of my work. Why should I?

Anil John That is precisely why our program was set up. We actually do not want a government solution. We do not want the companies that we work with, in order to pivot into government, and provide a capability that is solely of use by the government. So our, for lack of a better word, it’s due to the startups that we work with is, we have interesting set of problems that we need to solve. You have very interesting technology we believe can help solve it. We will give you some funding in order to Dakin the solution to our problem into your product. And what we want you to do is take it out into the market and make it successful, so that you are actually providing that capability to the broader private sector. And if you are able to do so, we would be happy to buy that technology as well, because it is just as usable for us. So for us it is a combination of don’t depend on the government for the care and feeding of your software. You want to be self-sustainable in the marketplace. And second, we have a at least for this particular solicitation, we have a two-tier model. We expect them to contribute to a foundational layer that is open source, and we expect them to build value added capabilities that are on top of it, which are obviously paid products that people would actually pay for. So that is the incentive and the approach to ensuring that products actually exist.

Tom Temin And how many companies are you working with?

Anil John So this is where I need to be very careful. Solicitation was back in October, very competitive solicitation. I would say that, more than 25 companies applied after the project itself. We have selected somewhere between greater than five, less than 10. And I am tap dancing around it, simply because the official announcement has not come out yet on who has been awarded. That will come out over the next 30 days or so, and there will be full visibility into that. So, more than five, less than 10.

Tom Temin But you had sufficient response to the solicitation that you feel this is something that resonates.

Anil John Oh, my goodness, yes. Like I said, 25 plus companies from all over the world applying to the project with really, really interesting ways of solving the problem. And one of the ways that we tried to solve the problem within SVIP, is we multi-track. We bond multiple companies, simultaneously, to solve the same problem because we do not want to get caught up in the echo chamber of just one solution. So a diversity in thought, diversity in the team, diversity on what that background really has an impact on the quality of the solution. So the ability to select from a multitude and fund multiple ones in order to solve the problem, has been really helpful not just us, obviously, and more importantly to our component partners at CISA.

Copyright © 2023 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories

    Amelia Brust/Federal News Network

    When will SBOMs finally benefit the federal government’s software supply chain?

    Read more