Enhancing the Army’s Digital Defenses: The New SBOM Mandate

Over the last several years, the U.S. Army has dealt with an onslaught of threats from the cyber battlefield. Since 2015, the U.S. Department of Defense (DoD) has experienced over 12,000 cyber incidents alone.

It’s not a coincidence that the number of cyber attacks against the DoD parallels the increase in software supply chain attacks. According to Gartner, software supply chain attacks are expected to triple by 2025 compared to 2021; of those incidents, more than half (58%) are expected to target federal sectors.

To respond to these threats, the Army’s assistant secretary for Acquisitions, Logistics and Technology issued a memo mandating that software producers provide software bills of materials (SBOM) for all new software contracts, including commercial off-the-shelf (COTS) contracts, by February 2025. In alignment with the Biden administration’s Executive Order 14028, which requires software providers working with federal agencies to attest to the security of the software, the new SBOM mandate for the Army is a great push to move the needle toward a safer federal software supply chain.

Despite the mutual benefits for both software providers and the Army, organizations affected by the memo might have questions, such as:

• Why the push for accurate and complete SBOMs?
• What steps should software providers take to comply with the new requirements?

Understanding the Importance of SBOMs

A strong cybersecurity posture for the Army begins with understanding every layer of software within its environment—including open-source (which makes up most of today’s software), third-party and proprietary. A complete, accurate SBOM is a window that provides visibility into the software components and dependencies across an organization’s supply chain. This transparency is important for maintaining software security, compliance and vulnerability management.

SBOM use is shifting from a mere compliance checkbox to a continuous assessment tool. By monitoring the integrity of each software component with the SBOM, the Army can ensure that software remains secure, compliant and free from vulnerabilities even after it is already deployed. This is especially important for the Army, considering the nature of its systems and the data it stores and what’s at stake if its networks are compromised: our national security.

As the ever-complex software ecosystem evolves, the SBOM will be a pillar to reassure the Army that its software is safe.

Preparing for the New SBOM Mandate From the Army

To comply with the new SBOM mandate, here are key steps software providers should follow:

1. Ensure visibility into contracts and subcontractors’ software supply chains. Many software providers will rely on multiple sources, including those of subcontractors and other contracts, to create and maintain software. Software providers must track, share and manage the SBOMS across multiple vendors and partners to validate compliance for the entire software supply chain.
2. Identify and remediate vulnerabilities quickly. Recognizing vulnerabilities is only half of the battle. Organizations must also take the right steps to fix them quickly—especially for open-source code that has no available patches.
3. Produce comprehensive SBOMs. Software providers must produce SBOMs that are in line with the National Telecommunications and Information Administration standards. With a comprehensive SBOM generation solution, software providers can ensure all open-source, third-party and custom-developed software components and dependencies are included and meet the new SBOM mandate for the Army guidelines.
4. Create an SBOM repository. Software vendors need a central repository for all SBOMs so that software consumers like the Army can ensure that all information shared is controlled, and security teams can have a better handle on access privileges.
5. Manage a secure channel to share SBOMs. Software providers must have tools that provide secure channels to share SBOMs and security attestation with the Army and any other federal agencies. Doing so ensures confidentiality and software integrity—all while meeting obligations.

Over the next several years, I anticipate that other sections of the DoD will follow the Army’s lead and enact similar mandates. It’s a great first step to ensure our country as a whole is better protected from the increase in software supply chain attacks. Having the tools in place to produce secure, comprehensive SBOMs that showcase any potential vulnerabilities and with secure channels to share them, software providers can not only ensure compliance but also be a pillar in our nation’s overall cybersecurity posture.