The US Army has issued a Request for Information (RFI) for information on currently developed approaches to address software supply chain issues, with a focus on “Acquisition, Validation, Ingestion and Use of Materials (SBOMs) and closely related matters.”
The RFI, issued Oct. 21, emphasizes the Army’s reliance on software to achieve mission outcomes, explaining that “effective, security-focused” software is “critical to enabling future military capabilities to dominate future conflicts.” The Army has noted that unknown software components can cause its systems to behave in unexpected ways and create openings for attackers.
To limit exposure to attack, the military says they must have a clear and detailed understanding of all software components and their origins to effectively conduct risk assessments and mitigate any risks. “The military must ensure that the software underlying every aspect of its mission is secure and resilient to adversary interference, and must have the ability to identify problems early and respond quickly,” the RFI explains.
The Office of the Assistant Secretary of the Army for Acquisition, Logistics and Technology, ASA(ALT) is currently seeking feedback from traditional and non-traditional business partners. ASA(ALT) intends to gather ideas for improving software supply chain security through the collection and review of SBOMs and related scanning and other supply chain risk management (SCRM) information. The ultimate goal is to ensure that Army software is secure and to promptly remediate any vulnerabilities through the software lifecycle.
In the RFI, the Army states that it is seeking feedback on potential contracting methods to secure the software supply chain, methods for analyzing SBOM, and issues related to concepts, concerns, implementation of SBOM, and integration with C-SCRM. . The Army further noted that depending on industry feedback to the RFI, it may pursue additional investment opportunities. Those opportunities may include question and answer sessions, one-on-one engagements, roundtables, and/or requests for additional written information.
Respondents are asked to share ideas on effective contract structures and policy and licensing changes that can be used to:
- “Choose the contract type best suited to secure software development and SBOM creation and submission;
- Promote high quality, timely, comprehensive SBOM;
- Enable software assurance risk assessment and mitigation techniques for COTS software, GOTS software, company developed software and subcontractor developed software;
- Ensure acquisitions include requirements and accountability for secure software development practices; And
- Successfully reduce timelines to identify and mitigate risks and issues in the software supply chain.
Responses are due by November 10. The RFI notes no responses to questions received after November 10.
The RFI follows President Biden’s May 2021 Cybersecurity Executive Order that directed federal agencies to use SBOMs as part of secure software standards. However, not all have supported the use of SBOM.
The day before the Army RFI was issued, the tech-sector trade group Alliance for Digital Innovation sent a letter to the House and Senate Armed Services Committees asking them to reconsider a provision in the upcoming national defense policy bill that would require vendors to provide SBOMs. On technology they provide government agencies.