A coalition of cybersecurity industry associations have published an open letter urging the US Congress to delay Software Bill of Materials requirements for defense contractors.
The letter relates to section 4543 of the National Defense Authorization Act for Fiscal Year 2023, which requires the US Department of Defense to establish requirements for a software bill of materials (SBOMs) for contractors.
SBOM refers to a list of all the open source and third-party components and the ingredients that make up those components. This is seen as an essential aspect of software and supply chain risk management as it enables security teams to gain more visibility into third-party risks in their software supply chain.
SBOMs have become an increasing focus for the federal government recently, with President Joe Biden’s executive order ‘Improving the Nation’s Cybersecurity’ in May 2021 including new requirements for software vendors to provide this list as part of their federal procurement process. In addition, in November 2022, the Cybersecurity and Infrastructure Security Agency (CISA) included the use of SBOMs as part of its advisory on securing the software supply chain.
However, the open letter has urged Congress’ Armed Services Homeland Committees to delay this legislation, “while allowing the many executive branch activities related to SBOMs to mature the ecosystem.”
It outlined four key factors that support delaying the legislation in this area:
1. The coalition cited the Cyber Safety Review Board (CSRB)’s July 2022 report into the notorious Log4j event, which highlighted the need for greater maturity around the development of SBOMs before they are written into law. For example, it stated that SBOMs are limited by variances in field descriptions and a lack of version information about catalogued components.
2. The letter argued that Congress and government are currently taking an “uncoordinated approach to policymaking on SBOMs,” further complicating this emerging environment.
3. It also pointed out that if the legislation is enacted as planned, it will apply before federal policies on SBOMs come into force, such as Biden’s executive order. “Left unchecked, these varying mandates can be expected to conflict in design and execution,” and therefore the DoD should observe the effect and use of SBOMs mandated by the order.
4. The coalition cautioned against to the “overly simplistic analogies” used to describe SBOMs, which they noted will need to evolve and change through its lifecycle. Therefore, more time is required to establish the complex formats, procedures, uniformity and protections that are needed to make SBOMs manageable at scale.
The coalition emphasized that it understands the importance of SBOMs and is committed to working with Congress to make them work effectively.
The letter stated: “SBOMs are expected to help organizations reduce cyber risk, but they will need processes, tools and standards to translate SBOMs into improved cybersecurity outcomes. Governments, industry and other stakeholders are already working to develop these processes, tools and standards – efforts that are progressing at an impressive pace. The most constructive step Congress can take to help SBOMs deliver their anticipated benefits is to support this ongoing work and ensure that future laws requiring SBOMs are harmonized across the US government.”
The signatories to the letter were the Alliance for Digital Innovation (ADI), The Software Alliance, the Center for Procurement Advocacy (CPA), the Cybersecurity Coalition and the US Chamber of Commerce.
Commenting, Jamie Scott, founding product manager at Endor Labs, agreed with the coalition’s assertion that SBOMs practices require refinement before being rolled out: “The key question agencies must ask is: What is the required data in an SBOM and what constitutes a quality SBOM from a minimal SBOM?
“If organizations define data quality, they can work with a set of recommended tooling that provides the highest quality of data. But until approved and vetted tooling is created, this will be a struggle given the variances across solutions.”
Putting the responsibility on agencies for this guidance will result in friction and snowflake requirements between agencies, which will cause friction across the ecosystem. We need to start first with reasonable requirements for data and reasonable practices.
“The industry hasn’t established a contract or standard practices and processes that can be followed repeatedly, and the guidance provided doesn’t detail these practices and processes.
“If first we want to establish transparency, much of the tooling exists to achieve this goal. But the practices and processes are unclear across the industry today.”
On November 30, research from CyberSheath found that 87% of US defense contractors are failing to meet basic cybersecurity regulation requirements.
