Three US government agencies have proposed new rules for federal contractors which would require them to develop and maintain a software bill of materials (SBOM) for any software used to deliver a contract.
Issued by the Department of Defense (DoD), NASA and the General Services Administration (GSA), the proposals can be seen as a response to President Biden’s executive order of May 2021, specifically the part designed to enhance incident response.
They are part of the new proposed rule: Cyber Threat and Incident Reporting and Information Sharing (FAR Case 2021-017).
An SBOM is an official inventory of all the components in a piece of open source or proprietary software, including the often-complex hierarchical relationships between them. They’re seen as a critical step forward in mitigating software supply chain risk, by improving visibility into potential vulnerabilities and accelerating remediation of known flaws.
“SBOMs can be critical in incident response, as they allow for prompt identification of any sources of a known vulnerability,” the text of the proposals noted.
However, nothing is set in stone yet. In fact, the DoD, NASA and GSA are asking for input on the following questions:
- How should SBOMs be collected from contractors? What protections are necessary for the information contained within an SBOM?
- How should the government think about the appropriate scope of the requirement on contractors to provide SBOMs to ensure appropriate security?
- What challenges will contractors face in the development of SBOMs? What challenges are unique to software resellers? What challenges exist regarding legacy software?
- What are the appropriate means of evaluating when an SBOM must be updated based on changes in a new build or major release?
- What is the appropriate balance between the government and the contractor, when monitoring SBOMs for embedded software vulnerabilities as they are discovered?
Chris Hughes, chief security advisor at Endor Labs and cyber innovation fellow at CISA, argued that the proposals will have a “wide and impactful ripple effect” and shows “just how far the government is willing to go to pursue transparency.”
The government could effectively force contractors to demand SBOMs from all their third-party software suppliers, but this may come with some challenges, he added.
“It is noteworthy that the rule requires SBOMs to align with the criteria laid out in the [National Telecommunications and Information Administration] NTIA defined ‘minimum elements.’ Studies have found that the majority of SBOMs available from sample sources, such as open source projects do not meet these minimum,” Hughes continued.
“Software suppliers and/or government contractors not only have to provide an artifact (SBOM) before many of them are ready and able, but they must also meet a level of maturity that so far seems to be lacking across the industry.”