Starting February next year, the US Army will initiate a new directive requiring comprehensive parts lists for nearly all new software procurements. The goal of this directive is to maintain rigorous tracking of all components within different software systems, fostering improved management of resources and enhancing transparency.
This significant change in software management processes is the result of two years of industry consultations, recently approved by Doug Bush, Army’s Chief Procurement Officer. Despite initial resistance, the majority of stakeholders have shown support, bolstered by the potential for positive impact. The detailed timelines and specifics of these changes are soon to be defined.
The directive involves including software bills of materials (SBOMs) in most new software contracts. The Army is given a 90-day window to devise initial requirements for incorporating SBOMs, necessitating a thorough review of existing software contracts and subsequent training for procurement officers.
US Army mandates software parts lists
The Army aims to ensure all new software contracts adhere to newly established SBOM requirements, reinforcing the security and effectiveness of their software systems.
Doug Bush emphasizes the shared accountability of government in managing supply chain risks and improving risk mitigation strategies, especially considering the Army’s reliance on software. He further underscores the requirement for tighter collaboration between public agencies and private sector firms to enhance cybersecurity. Leveraging partnerships, fostering innovation, and persistent evaluation of risk assessment protocols are crucial in fortifying defense systems against potential threats.
However, exceptions to new rules exist, particularly for cloud services, where SBOMs are not required. For most other software types, including new government-sponsored development projects, commercial off-the-shelf software, and open-source software, SBOMs will be imperative.
The Army’s directive is in response to President Biden’s 2021 rules on software supply chains, aimed at boosting security in Army’s software development processes. The Army has been engaging with industry leaders on best practices for implementing SBOMs, leading to a revision of protocols to enhance cybersecurity. The Army plans to introduce these new measures to standardize the use of SBOMs, improving control over software supply chains, ultimately strengthening the army’s operations’ vulnerability management.
