The U.S. Army has issued a request for information (RFI) for industry feedback on approaches currently being developed to address software supply chain issues, with a focus on the “acquisition, validation, ingest, and use of Software Bills of Material (SBOMs) and closely associated matters.”
The RFI, issued on Oct. 21, stresses the Army’s reliance on software to achieve mission outcomes, explaining that “effective, security-focused” software is “critical to enabling future Army capabilities to dominate future conflicts.” The Army notes that unknown software components can cause its systems to perform in unexpected ways and create openings for would-be attackers.
To limit exposure to attack, the Army says it needs to have a clear and detailed understanding of all software components and their provenance to effectively conduct risk assessments and mitigate any risks. “The Army must ensure the software underpinning every aspect of its mission is secure and resilient to adversarial interference, and must have the ability identify issues early and swiftly respond,” the RFI explains.
The Office of Assistant Secretary of the Army for Acquisition, Logistics and Technology, ASA(ALT), is currently seeking feedback from traditional and non-traditional commercial partners. ASA(ALT) is looking to gather ideas to improve software supply chain security through the collection and review of SBOMs and associated scanning and other supply chain risk management (SCRM) information. The end goal is to ensure Army software is secure and any vulnerabilities can be addressed quickly through the course of the software lifecycle.
In the RFI, the Army says it is seeking feedback on potential contracting approaches for securing the software supply chain, tools and methods to analyze SBOMs to identify issues, and concepts, concerns, issues around the Army’s implementation of SBOMs and incorporation with C-SCRM. The Army further noted that depending on industry feedback to the RFI, it may follow up with additional engagement opportunities. Those opportunities could include question and answer sessions, one-on-one engagements, roundtables, and/or requests for additional written information.
Respondents are asked to share ideas on effective contract structures and changes in policy and licensing that could be used to:
- “Select contract types that are best suited for secure software development and SBOM generation and submission;
- Incentivize high-quality, timely, comprehensive SBOMs;
- Enable software assurance risk evaluation and mitigation techniques of COTS software, GOTS software, company developed software, and subcontractor developed software;
- Ensure acquisitions incorporate requirements and accountability for secure software development practices; and
- Successfully reduce timelines to identify and mitigate risks and issues within the software supply chain.”
Responses are due by Nov. 10. The RFI notes that questions received after Nov. 10 may not be answered.
The RFI follows President Biden’s May 2021 Cybersecurity Executive Order that directed Federal agencies to use SBOMs as part of secure software standards. However, not all have supported the use of SBOMs.
The day before the Army RFI was issued, tech-sector trade group Alliance for Digital Innovation sent a letter to the House and Senate Armed Services committees asking lawmakers to reconsider a provision in the forthcoming national defense policy bill that would require vendors to provide an SBOM on the technology they provide government agencies.