GUEST BLOG: The U.S. Army's new SBOM requirement

Blog

February 13, 2025

To uplevel the integrity of software used by the Army, the Army’s Assistant Secretary for Acquisitions, Logistics, and Technology issued a memo in August 2024 mandating software vendors provide a software bill of materials (SBOM) for all new software contacts, including commercial off-the-shelf (COTS) materials, by February 2025. The policy aligns with the Biden administration’s Executive Order (E.O.) 14028, which requires that vendors working with federal organizations to attest to the security for all software meet the newly defined NIST Secure Software Development Framework (SSDF) requirements and help move the industry toward improving federal supply-chain security. However, we have a long way to go – a full 91% of organizations experienced a software supply-chain attack in 2023 alone, according to a recent study from cybersecurity firm Data Theorem.

Learning from the past

As part of E.O. 14028, organizations that worked with federal agencies were mandated to fill out the U.S. Cybersecurity & Infrastructure Agency’s (CISA) Secure Software Development Attestation Form. The form reinforced the four “secure by design” principles:

• Ensuring security controls are in place to protect software development environments.
• Taking steps to actively assess the trustworthiness of third-party components in software.
• Maintaining provenance data for all components, including third-party and open source.
• Establishing a robust vulnerability-management capability.

Despite ample time to complete the form and adhere to this particular requirement of E.O. 14028, research conducted by Lineaje at RSA Conference 2024 revealed that 80% of impacted organizations were unprepared to meet the initial deadline of June 11, 2024. Even worse, the survey found that 65% of security professionals hadn’t even heard of E.O. 14028. Budget limitations and a lack of staffing resources markedly slowed software supply-chain security and maintenance measures.

If software vendors fail to comply with the SBOM mandate for the Army dictated in the memo, the country’s national security is at stake. With faulty software, threat actors can easily penetrate the U.S. Army’s network of partners, or worse, the Army itself.

Safer software matters to the Army

At the heart of the software compliance mandates is the SBOM. The SBOM provides a holistic, transparent view of an organization’s software supply chain by detailing all of its software applications’ components, libraries, and dependencies. With an SBOM, security teams can see the level of risk in each part of their software, thereby making it easier to detect vulnerabilities early and prevent attacks. Furthermore, SBOMs are critical to identifying or detecting sources of compromise in the supply chain by ensuring the SBOMs provide accurate source or provenance information and a requisite component level to enable independently verifiable supply-chain integrity in the software. This is especially important for the U.S. Department of Defense (DoD) due to the nature of its systems and the data it stores. If a threat actor penetrates the Army’s networks, our national security is at stake.

The new SBOM mandate from the Army memo also prioritizes SBOMs over attestations. Army leadership views SBOMs as the most efficient method for ensuring supply chain security. As we get closer to February 2025, software providers looking to earn coveted contracts with the Army must work on generating, managing, and sharing accurate SBOMs.

Compliance requirements

By the February 2025 deadline, software providers need to take the following steps:

• Use a solution that has comprehensive SBOM generation. SBOMs must be automated in line with the National Telecommunications and Information Administration (NTIA) standards. Having a solution that has comprehensive SBOM generation ensures all open-source, third-party, and custom-developed software components are accounted for and meet the guidelines.
• Have visibility into contracts and subcontractors’ software supply chains. Subcontractors are included in the new policy, so software providers must be able to track, share, and manage SBOMs across multiple vendors and partners to solidify compliance across the entire ecosystem.
• Be proactive with vulnerabilities. Organizations need to not only identify vulnerabilities but must also take action to fix them quickly – even for open-source code that has no available patches. Software providers must have the tools in place that provide solutions.
• Create a secure channel to share SBOMs. Software providers should have tools that provide secure channels to share SBOMs and security attestations with the Army and other federal agencies and that maintain confidentiality and software integrity – all while meeting obligations.
• Have an SBOM repository. Software vendors need to have a central repository for all SBOMs, so that the information shared with customers is controlled, and security teams can better manage access privileges.

The new SBOM mandate from the Army has the potential to create safety and security for U.S. armed forces, ensuring they are better protected against the increase in cyberthreats. According to the U.S. Cyber Command, 20% to 30% of global cyberattacks from advanced persistent threat (APT) groups have targeted defense or military institutions. With the software supply chain being one of the top three cyber­security concerns, according to information from the Enterprise Strategy Group, it will be critical for the Army to keep the supply chain top of mind over the coming years. By having the tools in place to streamline visibility into the components of the software, create efficient SBOM creation, and manage vulnerabilities, software vendors can ensure compliance with the ever-evolving DoD requirements and stay ahead of the curve.

Nick Mistry is a Senior Vice President and CISO at Lineaje.

Lineaje     https://www.lineaje.com/