The State Department released a first of its kind memo earlier this year tackling how new software supply chain risk management processes will change the federal contracting and awards space. Michael Derrios, deputy assistant secretary and senior procurement executive at the State Department, said State chose to move forward with the new policy ahead of the expected rules from the Office of Management and Budget because it’s at the forefront of targeting.
“The State Department is probably the most targeted by bad guys trying to infiltrate our systems,” he said on Federal Monthly Insights – Software Supply Chain. “We took the executive order serious, and decided to start conditioning our vendor base to think about this, because we knew OMB was going to be driving this and trying to actually put some meat on the bones.”
The State Department started by collecting software bill of materials (SBOMs) and attestation forms from its industry partners, to prepare them for the upcoming rules. Derrios said State contracting officers are adding these requirements to solicitations as part of how they evaluate contractors.
“Industry had to actually start sharing their cyber plans with us and letting them know that we take it so serious that we’re going to start evaluating the quality of them. That could be a function of a company getting an award and another company, maybe not,” Derrios said. “We have developed those standard clauses now and are starting to put those in use. We have a very good relationship with our CIO organization and Donna Bennett, especially, is the enterprise chief information security officer (CISO) for the department. She helped us in developing that interim policy. We’ve got a good partnership where her staff and is helping us and our contracting officers make those judgment calls on the quality of the SBOMs and the attestation forms.”
The memo makes SCRM a “go/no go” a mandatory evaluation factor, and the contracting officer will have to evaluate the attestation forms within 14 days of the award.
Supply chain risk management is as much about dialogue as traditional cybersecurity actions and responses. Companies will be required to be clear in their reportings about their cybersecurity efforts when applying for contracts, and will have to inform the State Department about their ability to meet the new standards.
“I think it was a good idea for us to start frontloading it and starting the dialog now so that vendors can get ready, because it is going to be pricey for a company to acquire new tools on their side to really start gaining some of the deep insight into their supply chain, so that they can demonstrate that back to us,” Derrios told Federal News Network Executive Editor Jason Miller. “That’s going to be an investment that some of those companies are going to have to make.”
The State Department wants companies that have rock solid cybersecurity plans and infrastructure, because industry partners will be in contact with important data. The agency recognizes that they will possibly have to pay a premium in the best value tradeoff decisions as they move forward.
Derrios said the memo and contract clauses are based on the guidance from the National Institute of Standards and Technology (NIST) Special Publication 800-218.
NIST is creating the rules departments will need to prepare for implementing the new supply chain risk management processes, including those for SBOMs and vendor risk assessments.
“I think it’s key to go back to the old kind of blocking and tackling of risk management,” Jon Boyens, deputy chief of the Computer Security Division at NIST told the Federal Drive with Tom Temin. “And it’s knowing who the critical suppliers of that software is. It’s knowing what software you have in your network, the relationship between the technologies and software in the network, and the risk impacts that they could have.”
NIST’s work was in direct response to Executive Order 14028: Improving the Nation’s Cybersecurity. The White House issued the order in May of 2021 after the 2020 SolarWinds attack that targeted thousands of organizations globally, and multiple parts of the U.S. government. The attack, believed to be committed by the Russian government, resulted in a series of data breaches.
Boyens said that managing supply chain risk is still a work in progress, not a silver bullet, and organizations will need to have broader and deeper vulnerability management programs established in order to reap the benefits of SBOMs.
Meeting the challenges of the executive order necessitates that agencies enhance cybersecurity through a variety of initiatives related to the security and integrity of the software supply chain. NIST is developing internal processes to assess how agencies are doing.
“A lot of work is ongoing on SBOMs out of [the Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency]. SBOMs have been around for 35-plus years in the software development field. When they are developing a big software package and they’re using third party software, they usually get the software bills of materials or component inventories, which is another name for them,” Boyens said. “But that’s a development stage. And there’s usually nondisclosure agreements.”
While SBOMs have been around for over three decades, industry is still in the early stages of their use. Industry partners will have to adjust to the new requirements, and the labor and costs that go along with the conversion. Also on the horizon, the number of third party vendors that can evaluate SBOMs is regularly increasing, creating another avenue for compliance.
“I would say it’s three steps forward, two steps back,” Boyens said. “But I have seen a sustained effort and progress over the last few years. So I’m much more hopeful than I was 10 years ago.”