The U.S. Army seeks industry input on using SBOMs to secure its software supply chain and enhance risk management.
The U.S. Army is intensifying efforts to safeguard its software supply chain, calling on private industry for innovative solutions. This push focuses on proactive monitoring, critical vulnerability mitigation, and strengthening security across the thousands of software components and third-party libraries that form the backbone of the Army’s technology infrastructure. Central to this strategy is the adoption of Software Bills of Material (SBOM) processes, a practice gaining widespread attention across both government and private sectors.
In a recent Request for Information (RFI) posted on Sam.gov, the Army is seeking input from industry on improving its current SBOM approach. The RFI invites feedback on alternatives to the Army’s strategy, methods to encourage vendors to deliver SBOMs, best practices for SBOM implementation, and approaches for improving the overall risk management of the Army’s software supply chain. Responses to the RFI are due by October 13, 2024.
Every mission, major system acquisition, and technological advancement within the Army depends heavily on software. From communications and logistics to weapons systems and battlefield management, software underpins nearly every operational capability. In fact, the U.S. military as a whole is the largest employer in the world, with over 1.3 million active-duty personnel and more than 800,000 reservists. This vast infrastructure relies on countless software systems to maintain and enhance operational readiness, and with modern military operations increasingly reliant on advanced technologies, securing these software systems is critical.
Given the stakes, ensuring that every line of code is secure and resilient against adversarial threats is vital. According to the Department of Defense (DoD), approximately 75% of all cyberattacks target software vulnerabilities, making this one of the most significant areas of risk for national security. Software vulnerabilities can lead to breaches that compromise sensitive data, disable critical systems, or provide adversaries with strategic advantages.
The Army’s primary focus in addressing software security involves the use of SBOMs. SBOMs act as an inventory of all the components within a piece of software, including third-party libraries and open-source code. This transparency allows organizations to track, identify, and address vulnerabilities more efficiently, especially in systems with complex supply chains.
Specifically, the Army’s RFI seeks input on how to operationalize SBOMs through continuous monitoring, risk analysis, and mitigation strategies. One approach includes encouraging programs to self-generate SBOMs when vendors fail to deliver them, ensuring no gaps in the Army’s software security. Additionally, the Army is exploring contract requirements that make the delivery of an SBOM a fundamental aspect of any software procurement, aligned with federal guidance on standardized formats for software-intensive systems.
By adopting these processes, SBOMs would provide the Army with increased visibility into its software supply chain, allowing it to query components on demand and quickly target high-risk software components for mitigation. According to a 2023 survey by Synopsys, over 84% of codebases contain at least one known open-source vulnerability, underscoring the importance of thorough supply chain visibility.
Some Army programs have already piloted the inclusion of SBOM language in their contracts, with initial deliveries of SBOMs expected soon. The goal is to eventually standardize SBOM requirements across all contracts, ensuring compliance and enhancing the Army’s software security posture.
Additionally, the Army aims to incorporate contract language requiring vendors to comply with the Secure Software Development Framework (SSDF), a set of best practices that guide the secure development and maintenance of software. Under this framework, vendors would be required to submit legally binding attestation letters confirming their adherence to secure development practices for all software, components, and updates delivered to the Army. This step aligns with broader federal initiatives such as the Cybersecurity and Infrastructure Security Agency's (CISA) guidelines and the Executive Order on Improving the Nation’s Cybersecurity, issued in November 2022.
By enforcing SBOM and SSDF compliance, the Army aims to prevent software supply chain attacks like the infamous SolarWinds breach of 2020. That attack, which impacted multiple federal agencies and private companies, highlighted the need for increased scrutiny of third-party software and the risks posed by vulnerable supply chains.
The RFI also contributes to the Army’s effort to align its software security practices with several federal policies. In addition to the 2022 cybersecurity executive order, the Army is addressing requirements outlined in the Office of Management and Budget’s (OMB) Memorandums M23-18 and M23-16, which emphasize the importance of securing software supply chains across all federal agencies.
A study by IBM Security found that the average cost of a data breach in 2023 reached $4.45 million, highlighting the significant financial and operational risks posed by insecure software. With the increasing frequency and sophistication of cyberattacks, the U.S. government has made securing its software supply chains a top priority. The Department of Homeland Security reported a 20% increase in cyberattacks on government systems over the past five years, reinforcing the need for stringent cybersecurity measures.
The Army will consider feedback from this RFI as it refines its contracting guidelines, technical policies, and strategies for future software acquisitions. As the military continues to modernize, collaboration with the private sector will be essential to developing cutting-edge, secure technologies. With the global cybersecurity market projected to grow to $366 billion by 2028, the Army’s effort to integrate SBOM processes represents a critical step toward securing its software supply chain against future threats.
