Software supply chain management has been a hot topic across agencies as many are starting to focus on software bills of materials (SBOMs). Rosa Underwood, cybersecurity adviser for the Information Technology Category in the Federal Acquisition Service at the General Services Administration, said SBOMs are part of how managing the software supply chain has evolved significantly over the last few years.
GSA developed programs to identify supply chain risks for its customer agencies and established the Cybersecurity Supply Chain Risk Management (C-SCRM) division in the ITC to collaborate with and provide support to their suppliers.
“We want to make sure our suppliers are successful with C-SCRM practices and compliance. That also gives us an opportunity to help agencies with whatever challenges they may be having with their cybersecurity supply chain risk management programs. And we feel that by integrating the C-SCRM into our acquisition process, our acquisition staff is better able to identify those risks during market research phase,” Underwood said on Federal Monthly Insights – Software Supply Chain. “We’re also able to formulate better strategies to address and identify cybersecurity risk during the acquisition planning phase. Sometimes that can be a challenge because you may not actually know specifically what those risks are. We look at the benefits of evaluating C-SCRM when awarding contracts; it’s looking at things early, for example, at the pre-award phase, making it a little easier when you are in the post-award state. Sometimes it’s a little bit more of a challenge to mitigate those risks that may have been identified during the post award phase. In addition to cyber risk, we have also developed processes to reduce compliance risk. We screen offerors and their offerings, their products for compliance with Section 889 of the National Defense Authorization Act.”
Apart from section 889, GSA has released a few tools to help assure vendors’ cyber hygiene, including looking at potential risks in their products.
Another tool is used to identify if any of the suppliers are potentially owned by a foreign government.
The ITC division has evolved and continues to with the landscape, seeing how they can enhance certain processes, like SBOMs.
“When you look at the regulations and even some of the policy changes that have come out of the memos, that have come out of the White House, today there’s really no requirements for agencies to gather and use software bill of materials,” Underwood said on the Federal Drive with Tom Temin. “Yes, there is language within [Office of Management and Budget] memo 22-18, but it’s nothing specific. It’s more like agencies can collect additional artifacts such as SBOMs. So there’s nothing really directing agencies right now. But that doesn’t mean we’re not looking at the possibilities. What we’re doing right now, as far as SBOMs, we continuously reevaluate our contract language and our provision, looking for alignment with the executive orders and any recent statues or pending prior cases.”
With SBOMs being at the center of discussion for the last few months, there is still a question on where that fits into the rulemaking process. Underwood said that what they’re doing at GSA within the Federal Acquisition Service, in particular ITC, is looking at and monitoring pending FAR cases, and attending workstream sessions sponsored by the Cybersecurity and Infrastructure Security Agency (CISA) about how agencies will use SBOMs.
“One of the things about what GSA does — we’re not just sitting on our hands, of course, because there’s always something to do when it comes to supply chain risk management in an effort to identify high risk and non-compliant vendors,” Underwood said. “We use a number of tools to perform those risk assessments at pre-award and post-award phases of the acquisition lifecycle.”
GSA recently released a new request for information around supply chain risk management. The ITC is developing a new questionnaire to ensure vendors are abiding by the requirements of NIST 800-161.
“We’re looking to see how vendors are managing the supply chain risk information that could potentially help us improve or look for additional risk,” Underwood added.
The RFI is currently available within eBuy for GSA contractors.