Inside Cybersecurity

May 19, 2024

Daily News

Software group calls for coherence on Software Bill of Materials as lawmakers offer proposals for different agencies

By Sara Friedman / October 18, 2022

BSA-The Software Alliance wants the House and Senate to sort out diverging proposals on Software Bill of Materials contained in each chamber’s version of this year’s annual defense policy bill, and calls for an approach that goes across government rather than focusing just on DHS or the Defense Department.

The House version of the fiscal 2023 National Defense Authorization Act includes a proposal to require DHS contractors to submit a Bill of Materials as part of the procurement process, while the Senate NDAA directs DOD to amend its acquisition rules to require SBOMs for all noncommercial software created or acquired by the Pentagon.

The DOD proposal was in the text of the Senate NDAA released in July and is still part of the bill following the introduction of a substitute amendment to be debated on the floor in November.

BSA and other industry groups pushed the Senate to remove the DHS proposal from House Homeland Security Chairman Bennie Thompson (D-MS) and ranking member John Katko (R-NY). The chamber decided to move in a different direction.

“We support DHS’s ongoing work with industry to advance SBOMs, including its focus on scaling and operationalization, so that when SBOMs are requested users can leverage them to create concrete cybersecurity improvements,” BSA’s Henry Young told Inside Cybersecurity on Friday.

Young, director of policy, said, “DOD is an important customer and vendors will strive to meet whatever cybersecurity requirements it identifies as being necessary to effectively manage its risk, including SBOMs. To create the most secure future, DOD should work to harmonize any requirements it develops with those used in the civilian government, as well as with those of the international community.”

Interest in using SBOM for procurement has grown substantially following the release of the 2021 cyber executive order. The Office of Management and Budget issued a memorandum in September requiring software providers who sell to the government agencies to self-attest that their software is secure based on concepts from NIST’s Secure Software Development Framework.

The memo provides details on how an SBOM can be employed as part of artifacts used to demonstrate conformance with the SSDF and requires agencies use one of the data formats from the National Telecommunications and Information Administration’s minimum elements of an SBOM report or subsequent guidance from CISA.

OMB directs agencies to consider creating SBOM reciprocity “based on direct applicability” with other federal contracts.

At broader level, Young said, “We’d like to see the language harmonize the work on SBOMs across the Federal Government, by referencing work done by Commerce on minimum elements of SBOMs as well as NIST guidance, and by incorporating DHS into the process; all of which will reduce the possibility of differing future requirements for the defense and civilian government.”

The Cyber Safety Review Board found in July that more work needs to be done to make SBOM useful for software supply chain incident response, as part of its investigation into the Log4j software vulnerability. Their recommendations focus on improving “SBOM tooling and adoptability.”

The Cybersecurity Coalition has urged the government to do more to test the effectiveness of SBOM before setting procurement requirements in federal contracts, including establishing pilots and holding workshops to iron out areas of concern.

“The Coalition wants to stress that SBOM represents only one part of a secure software development strategy and lifecycle. Indeed, an SBOM is a tool (one that is very much a work in progress) in promoting good cyber hygiene,” the group said in a May position paper. -- Sara Friedman (