The United States will tighten the security conditions for software supply chains.
By early 2025, the U.S. Army plans to approve new rules requiring detailed component lists for new software to be purchased or developed. This innovation applies to both commercial and open source software.
After nearly two years of consultations with industry representatives, Doug Bush, the Army's chief procurement officer, signed a memorandum ordering that Software Bill of Materials (SBOM) be included in most new contracts. The SBOM is a document detailing the composition of the software, which allows you to manage risks during the supply chain.
However, the new rule does not apply to cloud services, at least at this stage. However, for most other software, including both custom development and commercial and open source solutions, SBOMs will become mandatory.
The memorandum requires the creation of a guide for the implementation of an SBOM within 90 days. Each program will then be required to include requirements in its software procurement contracts. The memorandum was adopted as part of the implementation of President Joe Biden's 2021 executive order on cybersecurity, which, among other things, concerned software supply chains, as well as in accordance with regulators' calls to strengthen the security of software development processes in government agencies.
The process of engaging with the industry began in September 2022, when the U.S. Army asked companies to describe their approaches to identifying vulnerabilities in supply chains and their SBOM practices.
To implement software certification, CISA has issued a form that third parties can use to self-certify their products against secure development standards.
The U.S. Army supports the SBOM approach and plans to expand its use. For example, at the end of 2023, the Army requested information about the possible creation of a list of materials for artificial intelligence algorithms as part of the Linchpin project, but subsequently refused to develop a formal policy on the issue.
Instead, the plan is to use the more simplified "model maps" that are already widely accepted in the AI community. The maps describe the processes used to create the AI models and include information about previous studies. The Army expects a policy on "model maps" to be published in fiscal 2025, along with rules for the use of SBOMs for data, which are also planned to be developed by then.
It is worth noting that IT companies serving the US government have expressed dissatisfaction with the proposed changes to the procurement rules, according to which in the event of a cyber incident, they will have to provide full access to their systems to US government agencies.
Source
By early 2025, the U.S. Army plans to approve new rules requiring detailed component lists for new software to be purchased or developed. This innovation applies to both commercial and open source software.
After nearly two years of consultations with industry representatives, Doug Bush, the Army's chief procurement officer, signed a memorandum ordering that Software Bill of Materials (SBOM) be included in most new contracts. The SBOM is a document detailing the composition of the software, which allows you to manage risks during the supply chain.
However, the new rule does not apply to cloud services, at least at this stage. However, for most other software, including both custom development and commercial and open source solutions, SBOMs will become mandatory.
The memorandum requires the creation of a guide for the implementation of an SBOM within 90 days. Each program will then be required to include requirements in its software procurement contracts. The memorandum was adopted as part of the implementation of President Joe Biden's 2021 executive order on cybersecurity, which, among other things, concerned software supply chains, as well as in accordance with regulators' calls to strengthen the security of software development processes in government agencies.
The process of engaging with the industry began in September 2022, when the U.S. Army asked companies to describe their approaches to identifying vulnerabilities in supply chains and their SBOM practices.
To implement software certification, CISA has issued a form that third parties can use to self-certify their products against secure development standards.
The U.S. Army supports the SBOM approach and plans to expand its use. For example, at the end of 2023, the Army requested information about the possible creation of a list of materials for artificial intelligence algorithms as part of the Linchpin project, but subsequently refused to develop a formal policy on the issue.
Instead, the plan is to use the more simplified "model maps" that are already widely accepted in the AI community. The maps describe the processes used to create the AI models and include information about previous studies. The Army expects a policy on "model maps" to be published in fiscal 2025, along with rules for the use of SBOMs for data, which are also planned to be developed by then.
It is worth noting that IT companies serving the US government have expressed dissatisfaction with the proposed changes to the procurement rules, according to which in the event of a cyber incident, they will have to provide full access to their systems to US government agencies.
Source
