The U.S. Army aims to introduce new regulations by February – or potentially sooner – that will require comprehensive ingredient lists for nearly all newly acquired or developed software that the service branch uses.
In an Aug. 16 memo, the Army detailed its strategy to mandate the inclusion of software bills of materials (SBOMs) in most new software contracts – with the notable exception of cloud services.
The Army’s new memo is in response to President Biden’s 2021 executive order on cybersecurity, which set mandates for securing software supply chains. This was followed by an Office of Management and Budget directive urging agencies to enhance their software development security practices.
In a September 2022 request for information (RFI), the Army began soliciting industry input on implementing SBOMs. Specifically, the service sought details on vendors’ practices for identifying vulnerabilities in their software supply chains, their use of SBOMs, and the most effective methods for keeping government customers informed about supply chain risks.
SBOMs are detailed records that outline the components and supply chain relationships involved in creating software.
The memo gives the Army 90 days to develop implementation guidelines for SBOMs, including template contract language. After this period, individual program offices will have another 90 days to integrate these requirements into their contracts, including those with subcontractors.
“The government has a shared responsibility to manage [supply chain risk],” Doug Bush, the Army’s top acquisition official, wrote in the memo. “Software is a subset of [supply chain risk management] and is to be conducted on systems throughout their lifecycle. Army Directive 2024-02 emphasizes the Army’s reliance on software and the importance of understanding the risks systems can introduce to a network and how to mitigate those risks to the greatest extent possible.”
This initiative is designed to enhance security and transparency by rigorously evaluating software for potential vulnerabilities and verifying that it adheres to operational standards.
Notably, the policy exempts contracting officers from requiring SBOMs for cloud services at this time. However, SBOMs will be mandatory for most other software, including new government-funded development, commercial off-the-shelf products, and open source software.
