A Software Bill of Materials (SBOM) accounts for the software components contained in an application (open source, proprietary or third-party) and details their provenance, license and security attributes. Essentially, an SBOM is a formal inventory of software components and their hierarchical relationships. It also helps illuminate the potential involvement of third parties which could create risk for end customers.
When the Biden administration released Executive Order 14028, “Improving the Nation’s Cybersecurity,” it included Section 4: Enhancing Software Supply Chain Security. As noted in our previous article, this section states that the federal government needs to rapidly improve the security and integrity of the software supply chain, including critical software.
The National Institute of Standards and Technology (NIST) was tasked with defining “critical software” as well as publishing further guidance to help agencies prepare for digesting SBOM information. In May 2022, the Department of Homeland Security (DHS) will make recommendations to the Federal Acquisition Regulatory (FAR) Council to implement software standards, procedures and SBOM guidance that could result in changes to contracting language.
Hence, federal contractors that offer and sell commercial software should expect to begin seeing contract language directing adherence to the EO-focused software standards, procedures and criteria, including the provision of an SBOM in the near future. These changes are also expected to result in the removal of "non-compliant software" from existing contracting vehicles, including indefinite delivery, indefinite quantity contracts, multiple-award contracts, blanket purchase agreements and GSA Schedule contracts.
If you are a commercial software or cloud service provider, you should get familiar with SBOM. Download our guide to understand SBOM minimum elements and capability levels and gain access to our summary of essential SBOM resources.
Start by keeping up with the latest government guidelines. Baker Tilly specialists are here to provide direction on the latest regulations and the potential impact on your business, your systems and your government contracts. And we offer a full suite of supply chain risk management (SCRM) services that can help you establish an effective third-party risk management structure. An optimal SCRM structure will help you keep pace with the government’s emerging needs, including Section 4 of the E.O.