Industry cautions on software security regs in the defense bill

Technology trade groups are aligning against a proposal in the House-passed defense policy bill that would require software vendors to attest to the government that their products are free of known defects and to include a bill of materials describing their code. 

The groups – the Alliance for Digital Innovation, BSA Software Alliance, the Cybersecurity Coalition and the Information Technology Industry Association – say that the legislation leapfrogs ongoing administrative efforts to establish software bills of materials (SBOMs) as part of the federal acquisition process. Those efforts, the groups say, are still in their developing stages and there isn't a consistent approach to SBOMs – essentially ingredient lists that tell what proprietary and open source components are included in software application. 

"Ultimately, SBOMs will not achieve the desired utility for agencies at this point because of a  lack of standardization," the groups said in a Sept. 14 letter to the heads of multiple committees of Congress. "This highlights the need for additional work to include guidance on  the structure and construction of an SBOM and standardization of the processes for SBOM  dissemination, ingestion, and use."

SBOMs can be a useful part of a larger secure software development program, according to Ross Nodurft, executive director of the Alliance for Digital Innovation, but the process of producing and implementing the inventory lists of software components is "not mature enough to be codified into law at this time," Nodurft said in a statement. 

"[R]isk-based use of SBOMs should be part of a larger discussion that includes both industry and agency stakeholders and should be considered as part of guidance to adopt secure software development lifecycle practices," Nodurft said.

Grant Schneider, the former federal chief information security officer and senior director of cybersecurity services at Venable, also urged the White House to continue its work in developing and standardizing SBOMs for federal agencies before the practice is mandated into law. 

"More work is needed to ensure IT operators and software developers have shared expectations for the content and sharing mechanisms for SBOMs," Schneider said.

Some of that work is starting to bear fruit. The trade groups' letter landed the same day as the Biden administration released a new set of software security requirements as part of the implementation of the cybersecurity executive order from last year. The updated security posture described in the memo authorizes agencies to require SBOMs from vendors in certain circumstances relating to the "criticality" of  a piece of software. 

The White House guidance advises agencies who opt to use SBOMs to communicate the requirement as early as possible in the acquisition process and they ask agencies to rely on one of a few standard data formats for accepting SBOMs. Additionally, the guidance suggests that agencies can leverage SBOMs from other agencies, "based on direct applicability and currency of the artifacts."