Four industry associations are raising the red flag over a provision in the fiscal 2023 defense authorization bill that they say could cause confusion across government and contradict current cybersecurity efforts.
The Alliance for Digital Innovation, the Software Alliance, the Cybersecurity Coalition and the Information Technology Industry Association wrote to House and Senate armed services and oversight leaders expressing concern over Section 6722, which features the provision DHS Software Supply Chain Risk Management included in the House version of the NDAA.
The provision would require the Department of Homeland Security to issue guidance for all new and current contracts that would require vendors to provide “the bill of materials used for such contract, upon the request of such officer; and the certification and notifications” that submitted bill of materials is free from all known vulnerabilities or defects affecting the security of the end product or service, particularly those in the vulnerability databases run by the National Institute of Standards and Technology and the Cybersecurity and Infrastructure Security Agency.
The associations say the provision “is not sufficiently scoped nor does it account for current administration efforts regarding software bill of materials (SBOMs), or the readiness of software suppliers and consumers, including government customers, to fully leverage SBOMs.”
The associations also say the vagueness of the provision will lead to problems.
“As drafted, the amendment is unclear on whether the bill of materials is limited to software or all components. An expansion beyond software is inconsistent with existing administration efforts, impractical and introduces additional implementation challenges,” the letter stated. “Furthermore, paragraph (e) of the amendment provides conflicting requirements with respect to certifications and notifications. In one instance, the provision requires certification that the items in the BOM are free of vulnerabilities or defects, and in another it requests a plan to mitigate all identified vulnerabilities.”
The associations also say with OMB developing SBOM guidance, any legislative effort is premature.
“Ultimately, SBOMs will not achieve the desired utility for agencies at this point because of a lack of standardization,” the letter stated. “DHS’s recent Cyber Safety Review Board review of the December 2021 Log4j event notes that SBOMs are currently limited, with differences in field descriptions and lacking version information. This highlights the need for additional work to include guidance on the structure and construction of an SBOM and standardization of the processes for SBOM dissemination, ingestion, and use. Each of these is critical for sellers to create usable SBOMs and for government and other buyers to make effective use of the output.”
Provision lacks clarity
Other experts agree the provision is faulty.
Trey Hodgkins, president of Hodgkins Consulting, LLC and who has been tracking the provision for clients, said the provision lacks clarity in a number of areas.
“It is confusing because the title says software, but the definitions include all IT products and services. That means it is all inclusive and includes cloud. Vendors would have to provide a bill of materials for all products used in the provision of services and delivery of product to DHS,” he said. “The proposal is also prospective and retroactive, so all existing and future contracts would be subject to the requirement. It only gives vendors and the department six months to figure it out, so this proposal poses substantial implementation problems for the government and the companies that support their mission.”
Ross Nodurft, the executive director of the Alliance for Digital Innovation and a former OMB cyber office chief, said the process to develop SBOMs is still maturing and it’s too early to codify it in law.
“SBOMs can be a useful part of a larger program focused on secure software development. Additionally, use of SBOMs as part of any type of procurement process is premature at best,” he said in a statement. “Instead, risk based use of SBOMs should be part of a larger discussion that includes both industry and agency stakeholders and should be considered as part of guidance to adopt secure software development lifecycle practices.”
OMB memo just released
The letter comes as the Office of Management and Budget released long-awaited software guidance. OMB says agencies “must only use software provided by software producers who can attest to complying with the government-specified secure software development practices, as described in the NIST guidance,” released in February.
“Not too long ago, the only real criteria for the quality of a piece of software was whether it worked as advertised,” wrote Chris DeRusha, the federal chief information security officer in a blog post. “With the cyber threats facing federal agencies, our technology must be developed in a way that makes it resilient and secure, ensuring the delivery of critical services to the American people while protecting the data of the American public and guarding against foreign adversaries.”
Grant Schneider, the senior director of cybersecurity services at Venable and former federal CISO, said in a statement that the administration’s SBOM efforts should get off the ground before Congress starts mandating requirements.
“More work is needed to ensure IT operators and software developers have shared expectations for the content and sharing mechanisms for SBOMs,” he said.
DoD reporting requirement
Through the NDAA, lawmakers are trying to build upon the White House’s efforts. Along with the DHS language, House members included one other supply chain security focused provisions.
One would require the Defense Department to brief the House Armed Services Committee by March 1 on “its efforts to identify and mitigate supply chain threats and vulnerabilities throughout the software supply chain, to include software as well as procedures and controls to ensure the security of that software supply chain.”
The committee wrote in its report that software supply chain attacks are increasing at an exponential rate of four to five times per year, with several thousand attacks in 2021.
The associations urged the Senate Armed Services Committee and the Homeland Security and Governmental Affairs Committee to remove the House language to give industry and the administration more time to mature the SBOM process.