To contend with growing software supply chain security threats, an increasing number of governments and regulatory bodies have started to implement SBOM (software bill of materials) regulations. Among the latest is the U.S. Army.
An Aug. 16 memo from Assistant Secretary of the Army (Acquisition, Logistics, and Technology) Douglas R. Bush directed the branch to start including contract language requiring SBOMs for “covered computer software.” The regulations will likely take effect in early 2025 and will cover most contractors and subcontractors that sell software to the Army.
The goal of the SBOM requirement is “to enhance software supply chain risk management practices and effectively mitigate software supply chain risks.”
In this blog, we’ll cover the requirement’s details, scope, impacted parties, and implementation timeline. We’ll also discuss steps Army software contractors and subcontractors can take now to prepare.
Requirement Scope
The Army’s new SBOM requirements will apply to all “covered computer software.” The branch’s memo defines “covered computer software” as:
“... any computer software developed exclusively with Government funds to include Government-off-the-Shelf software, any computer software developed by a Contractor using exclusively Contractor funds or Independent Research and Development funds, any commercial computer software (as defined by FAR 2.101), and any noncommercial computer software developed and delivered to the Government by a Contractor.”
The memo also notes that “commercial computer software” includes both COTS (commercial-off-the-shelf) and open source.
There is one notable exemption from the requirement: Cloud services are not currently covered by the regulation.
Critically, the requirement applies to both Army contractors and subcontractors. The memo specifies that contract language and SBOM obligations must be passed down to all software development or delivery subcontractors.
In other words, if you provide software to the Army — or if you provide software to a vendor that provides software to the Army — you’ll need to be prepared to produce and deliver an SBOM.
Implementation Timeline and Requirements
The memo outlines a series of next steps as the Army works toward fully adopting the new regulations. Here are some of the key milestones on the implementation timeline.
Within 90 Days of the Memo’s Release: Sample Guidance
By Nov. 14, 2024, the Deputy Assistant Secretary of the Army will provide several pieces of guidance to inform the specifics of implementation. This will include:
- Sample contract language for requiring an SBOM
- Sample data descriptions
- A guide for SBOM management and implementation
Within 90 Days of the Sample Guidance Release: Incorporating Contract Language
Within 90 days of the release of the aforementioned guidance and sample materials, the Army’s Program Executive Offices (PEO) and Program Managers (PM) will be tasked with:
- Incorporating SBOM contract language for new contracts
- Ensuring said contract language gets passed down to subcontractors
- Codifying processes for SBOM collection, storage, management, and monitoring
- Codifying processes for managing vulnerabilities that surface via SBOM monitoring
90 Days After the Sample Guidance Release: Collect, Store, Manage, and Monitor SBOMs
The regulations will fully take effect 90 days after the release of the sample guidance discussed earlier in this section. In other words, beginning in February 2025, the Army will start collecting and analyzing SBOMs from software contractors and subcontractors. The branch will also begin SBOM management and continuous monitoring activities to maximize software supply chain security benefits.
Preparing for Compliance
Although certain details of the Army’s SBOM regulations are still being developed, contractors and subcontractors can take steps now to get prepared.
- SBOM generation
First and foremost, since the Army is clear that its goal for requiring SBOMs is to facilitate ongoing vulnerability management, contractors and subcontractors should be prepared to generate an SBOM in a machine-readable format like SPDX or CycloneDX. It’s also likely safe to assume that the Army will require SBOMs to include at least the NTIA-required minimum elements, so it’s wise to choose an SBOM tool that supports those data fields.
- SBOM distribution
It’s also critical for contractors to start having the SBOM conversation with their subcontractors and to develop a plan for SBOM sharing. (A tool like FOSSA’s private SBOM portal — which allows for time-based access control — is often a good solution.)
- SBOM ingestion
Along with a strategy for securely sharing/collecting SBOMs, it’s also important to be able to successfully ingest the SBOMs you receive. This will allow you to combine what you collect from subcontractors with your own SBOM to form an application-level SBOM that you distribute.
- Vulnerability identification and management
In contrast to some other SBOM regulations (e.g. the FDA’s), the Army memo doesn’t specifically require contractors to provide a list of vulnerabilities (and mitigations) associated with the SBOM. However, this could conceivably change in the future, so it’s not a bad idea to get a process and/or tool in place that provides this capability.
(Also, it’s not outside of the realm of possibility that the Army’s contract language could end up requiring contractors to provide some sort of vulnerability information; we should get confirmation one way or the other once the sample guidance is released in the coming months.)
How FOSSA Helps Manage SBOM Compliance Regulations
FOSSA is currently helping organizations in a variety of regulated industries manage compliance with SBOM regulations. Our SBOM management solution makes it easy to generate SBOMs, ingest SBOMs from software suppliers, analyze SBOMs to understand security risks, and securely distribute SBOMs.
The FOSSA platform also captures vulnerability fix decisions via automated VEX annotations, which is a useful feature for fulfilling customer requests and potentially regulatory requirements.
Please reach out to our team for more information on how we can help your organization navigate SBOM requirements.