The U.S. Army Signs Software Bill of Materials
The U.S. Army issued a software bill of materials (SBOM) policy on Aug. 16, announced Young Bang, principal deputy assistant secretary of the U.S. Army's Acquisition, Logistics and Technology department, at AFCEA International’s annual TechNet Augusta conference, held Aug. 19-22, 2024, in Augusta, Georgia.
The measure is intended to secure the Army’s production of software and reduce cyber vulnerabilities.
The National Telecommunications and Information Administration originally pioneered the SBOM concept that identifies, specifies and lists the software components of a product and information about how those components relate to the supply chain. Having a detailed description of the software components and any third-party links in any software-based capability is necessary to identify cyber vulnerabilities and reduce cybersecurity risks.
The new SBOM policy "enumerates the details and supply chain relationships of various components used in building software," Bang explained.
Army project managers and program executive officers, especially, will leverage SBOMs for vulnerability, incident management and supply chain risk management. The measures will help securing the software supply chain across the service.
Bang acknowledged that the SBOM policy does not include bill of materials guidance for cloud services "at this time."
The Army spent the last year or so coming up with the policy, starting with the software bill of materials request for information issued on Sept. 15, 2023. The request for information sought “industry feedback on approaches being considered to improve the Army’s software supply chain security through proactive monitoring and mitigation of critical vulnerabilities,” according to the document.
Now, as part of implementing the signed SBOM policy, the Office of the Assistant Secretary of the Army (Acquisition, Logistics and Technology), known as the ASA (ALT), will provide more information and “playbooks,” Bang said, including a specific SBOM management and implementation guide for leaders to use.
“We will get guidance out there. It is part guidance for our force, part guidance from an acquisition standpoint, but also from a procurement and contracting perspective,” he stated. “I think across the board, but more than 90% of the people in the industry are much better aligned with SBOMs. They're not necessarily in favor of the software attestation that the federal government is really pushing.”
Next, the acquisition leaders will work on an associated data bill of materials policy and an artificial intelligence summary card policy, both expected in fiscal year 2025, Bang shared. The policy structures will aid the Army's Project Linchpin, the service's artificial intelligence (AI) solutions pipeline that it is building to support its sensing, targeting and intelligence, surveillance and reconnaissance environment. Project Linchpin was rolled out in September 2022 by the Program Executive Office for Intelligence, Electronic Warfare and Surveillance to broaden the use of AI in tactical environments, while ensuring data security, openness and AI modularity with maximum flexibility.
As a whole, the service’s acquisition community is working to produce capabilities at speed and scale to meet the demands of the Army, operating in a near-peer environment. It has undertaken and accomplished other key steps, Bang emphasized. The signed SBOM policy builds on the service’s modern software directive (released in March) and the digital engineering directive (released in May), among other measures. The modern software directive provides policies to decouple hardware and software materials, while the digital engineering directive was meant to bring antiquated paper-based Army methods up to industry levels.
We are accelerating across the board to get capabilities out to our soldiers at speed.
“Most of the industry already does things in a digital engineering construct,” Bang stressed. “And we were asking them to convert those digital models to a paper-based model and send it to us so then we could review it, and they converted them back to a digital model. That didn’t make sense, so we're really driving the streamlining of that process. With our digital engineering policy, we can accelerate the process from a digital, from a software, from all capabilities, hardware and digital, across the board, and meet industry where you are.”
“We talk about acquisition at speed and production at scale,” Bang explained. “That is for our weapons platforms, for our business systems, for our cyber capabilities, for electronic warfare, all of those things. We are accelerating across the board to get capabilities out to our soldiers at speed. And we are literally getting out capabilities two years after we get requirements in from a physical hardware capability.”
In some cases, the acquisitions community is able to field capabilities incredibly fast, Bang continued.
“Because of the new authorities that we are using, like the Rapid Acquisition Authority, we are able to get it things like Coyotes in theater in three months,” he said, speaking of the expendable counter-unmanned aerial system built by Raytheon that is deployed from a sonobuoy tube.
Bang credits the close association between ASA (ALT) leaders, the Army’s chief information officer, the Army G6, the service’s information technology enterprise officials and Army cyber leaders as to why the service’s continued digital modernization efforts are advancing.
“Going back to when I was supporting the Army in the green suit, or even as an action officer, I have not seen better alignment within the Army at the enterprise for the modernization efforts and the digital transformation,” Bang stated. “The CIO and the G6 alignment with our cyber, and also alignment with ASA (ALT), has been incredible.”