The Army is exploring how to use Software Bills of Material requirements in contracts, potentially putting the military department at the leading edge of federal organizations looking to use “SBOMs” to secure their software supply chains.

In an Oct. 21 request for information, the Army’s acquisition directorate is seeking feedback on “effective, streamlined, and innovative ways” to improve software supply chain security, specifically through the use of SBOMs.

“Effective, security-focused software is critical to enabling future Army capabilities to dominate future conflicts,” the RFI states. “However, unknown components can cause systems to perform in unexpected ways and create exposure to attack when the components have vulnerabilities.”

The Army is looking for information on the collection and review of SBOMs, as well as “associated scanning and other supply chain risk management (SCRM) information.” The RFI asks for feedback on a range of issues, including sample contract language that would require SBOMs as a major deliverable in contracts involving software.

“Responses from this RFI will be used to formatively shape broad Army guidance for acquiring software solutions,” it states. Responses to the notice are due Nov. 10.

‘It’s going to happen’

The SBOM has emerged in recent years as one major tool to potentially help government and industry better understand and secure complex software supply chains. The National Telecommunications and Information Administration, which led efforts to develop and define the SBOM concept, describes it as “formal, machine-readable inventory of software components and dependencies, information about those components, and their hierarchical relationships.”

President Joe Biden’s May 2021 cybersecurity executive order also directs the use of SBOMs as part of secure software standards.

“Software developers and vendors often create products by assembling existing open source and commercial software components,” the order states. “The SBOM enumerates these components in a product. It is analogous to a list of ingredients on food packaging.”

However, SBOMs remain largely conceptual when it comes to federal procurement. New software supply chain security guidance from the White House encourages, but does not require, agencies to use the lists.

Technology trade groups have also pushed lawmakers to drop language in the annual defense bill that would require the Department of Homeland Security to use SBOMs. The industry-backed organizations argue it’s too early for agencies to require SBOMs because of a lack of standardization around the concept.

But the Army appears bullish on the software ingredients lists.

“The Army is going to go headfirst into SBOMs,” Young Bang, principal deputy assistant secretary of the Army for acquisition, logistics and technology, said during an Oct. 11 panel at the Association of the United States Army’s annual conference in Washington.

“Some of you might have concerns on it — that’s great,” Bang added. “We want to hear those concerns, come and talk to us specifically about it, but it’s going to happen. We’re going to do it, and the Army is going to be the first agency that is going to implement this correctly.”

Jennifer Swanson, deputy assistant secretary of the Army for data engineering and software, said the service needs better visibility into its software dependencies.

“And we’re not saying open source is bad, but we are saying we need to understand, did China contribute to that code?” Swanson said during AUSA. “Where is that code coming from when we’re buying [Commercial Off-the-Shelf], for example? Where is that code being developed? Is it being outsourced to countries that maybe we don’t want them in our code?”

Swanson said the Army wants to eventually use tools to scan any software for critical vulnerabilities, regardless of whether it was developed commercially or specifically for government use.

“Our nirvana for cybersecurity of software and the whole SBOM concept is to have a repository of code, whether it’s COTS, or [Government-Off-The-Shelf] or whatever, that’s already been through the scans,” Swanson said. “And that’s where vendors pull from to develop code. That is a heavy lift based on where we are today. It’s going to take a little bit of time, but that is really where we want to go so that we can verify the software ourselves before it makes it into our code.”

The Army will also have to take the responses from its latest RFI and figure out how to incorporate a relatively young concept into a notoriously cumbersome acquisition process.

“We have to train our technical and our contracting folks about what that means, because that’s something new,” Megan Dake, deputy assistant secretary of the Army for procurement, said during AUSA. “We know what bombs are, but SBOMs is a whole other world. So you’re going to see those in future requirements . . . how do we evaluate those in our source selections? And how do we write those into our RFPs?”

 

X