The U.S. Army is looking to the private sector for ideas on proactive monitoring and critical vulnerability mitigation to shore up its software supply chain and improve the security of its thousands of software components and third-party libraries, principally through Software Bills of Material processes.
In a request for information (RFI), posted to Sam.gov last week, the service branch said it is seeking feedback on “alternatives to [its] approach, how to motivate [Software Bills of Material] delivery from vendors, share best practices, and better inform our software supply chain risk management strategy.”
Responses to the RFI are due Oct 13.
Every mission, major system acquisition, and technology modernization effort that occurs within the Army is dependent on software to bring capabilities that meet the warfighter’s needs and dominate future conflicts. Therefore, the Army said it needs to ensure that the software it utilizes through every aspect of its mission is secure and resilient to adversarial interference.
The primary approach the Army is interested in involves SBOM processes. Specifically, the RFI is seeking feedback on how the service could operationalize SBOMs by performing continuous monitoring, risk analysis, and mitigation; encouraging programs to self-generate an SBOM when vendors do not deliver an SBOM; and incorporating contract language that requires an SBOM as a primary artifact to address Federal guidance for Army software-intensive systems using standardized formats.
SBOMs would “provide increased fidelity into the Army software supply chain to query components on-demand and target mitigations for high-risk software components” and “enhance the security of the Army’s software supply chain and enable proactive risk mitigation,” the RFI states.
According to the RFI, select Army programs have piloted SBOM language in their contracts and are awaiting initial delivery of SBOMs at the program and component level.
In addition, the Army is looking to incorporate contract language that requires submission of vendor compliance with the Secure Software Development Framework through a legally binding attestation letter for all future software, components, and versions delivered to the Army.
According to the RFI, this would satisfy guidance from the Cybersecurity and Infrastructure Security Agency and other Federal policies, such as the Nov 2022 executive order on improving the nation’s cybersecurity.
It will also “enable the Army with increased assurance over the software supply chain,” the RFI states.
The RFI will also contribute to the Army’s effort to address the policies and directives codified in several software security Federal policies, such as the cybersecurity EO and guidance from the Office of Management and Budget M23-18 and M23-16.
The Army will consider any feedback in its continued effort to develop contracting guidance, technical policies, and future software acquisitions, according to the RFI.