We've been closely following the regulatory response to the increasing frequency with which cybersecurity attacks target software supply chains.
The rise in these types of attacks, coupled with the high reliance on open source components, requires diligent sourcing practices to protect organizations from vulnerabilities and produce stronger and more reliable products.
Software bills of material (SBOMS) have been thrust into the spotlight as a key defensive tool for DevSecOps because they provide a comprehensive view of all the components that make up a piece of software. This visibility makes it possible to detect security vulnerabilities or malware that might otherwise find their way into your development pipeline.
Federal response to software supply chain attacks
The rise in SBOM mandates across private and federal sectors reflects a growing emphasis on transparency and security in software supply chains, with mandates including Executive Order 14028 serving as a catalyst for policy adoption. In August 2024, the U.S. Army took the step of establishing SBOM requirements when Doug Bush, Assistant Secretary of the Army for Acquisition, Logistics, and Technology, issued a memo directing the incorporation of SBOMs into software contracts. The directive aims to ensure that by February 2025, the Army's procurement processes will fully incorporate SBOM requirements to improve its cybersecurity posture and ensure everything from business systems to weapons platforms can be deployed as quickly as possible.
The scope of the new requirements will apply to commercial applications as well as open source and "any computer software developed exclusively with Government funds to include Government-off-the-Shelf software, any computer software developed by a Contractor using exclusively Contractor funds or Independent Research and Development funds, any commercial computer software (as defined by FAR 2.101), and any noncommercial computer software developed and delivered to the Government by a Contractor."
Recognizing SBOMs as the cornerstone for effective application security practices
As part of its guidance, Army CIO Leonel Garciga issued a memo, Army Development, Security, and Operations Pipeline Certification, to establish criteria for evaluating and a process for certifying development, security, and operations (DevSecOps) pipelines. These criteria align with existing federal standards like NIST 800-53 and 800-218, ensuring compliance with well-established guidelines for risk management, system security, and supply chain integrity.
This document emphasizes the role of static application security testing (SAST), dynamic application security testing (DAST), and software composition analysis (SCA).
General requirements include:
|
Requirement |
Criteria and Thresholds |
|
Static Application Security Testing (SAST) |
Recommendations based on category:
AOs may suppress Maintainability and Reliability findings based on risk threshold. AOs may suppress low and below Vulnerability and Security findings based on risk threshold but may not exceed this level with CISO exception. |
|
Credential / Secret Detection |
Documented exceptions only:
|
|
Linting |
Organizations and teams should establish standards for each language and tools to enforce them |
|
Requirement |
Criteria and Thresholds |
|
Software Bill of Materials (SBOM) |
High-fidelity in NIST format:
|
|
Software Composition Analysis / Known Vulnerabilities (CVEs) |
Default: Mitigation statements provided for all outstanding CVEs, reviewed by CAs AOs may suppress Medium and below CVEs based on risk threshold but may not exceed this level without CISO exception. |
|
Supply Chain Risk Management |
Default: Mitigation statements provided for Low and above findings, reviewed by CAs AOs may suppress Medium and below CVEs based on risk threshold but may not exceed this level without CISO exception. |
|
Malware Signature Detection |
No known signatures. Temporary exceptions for false positives:
|
|
Requirement |
Criteria and Thresholds |
|
Dynamic Application Security Testing |
Defaults:
|
|
Application Compliance |
AOs determine appropriateness based on risk thresholds for the software and deployment platform |
|
Secure Development Practices |
Minimized: no unnecessary components in production Current: no unsupported distributions, frameworks, language versions, etc. Least Privilege/Isolation: enforced for production AOs may issue temporary exceptions |
SBOMs are foundational for all of these because they provide component identification and dependency awareness and can streamline SCA by providing detailed information on open source and third-party applications. For defense applications in particular, short development times and the ability to deploy at scale make a big difference in mission-critical applications where the mission, the mission outcome, or even lives are on the line.
Most of today's software relies on open source, and its benefits in terms of development speed and cost are undeniable. However, it also presents the risk of introducing vulnerabilities into the SDLC, ranging from outdated components and policy violations to malware. Sonatype can bring value to the entire CI/CD lifecycle for federal teams working across different use cases.
For example, if they are working with an external integrator providing code, they can validate its compliance before allowing it into the Army ecosystem. In addition to these mandates, SBOM language is increasingly written into contracts.
Automation is key for boosting security and introducing new capabilities
The complexities of today's software development are difficult to overstate, especially in the diverse technology landscape of defense applications where reliability, availability, and security are critical. As new features and enhancements are introduced to systems, the number of SBOMs generated can escalate quickly. Getting new capabilities into the field requires more frequent releases and faster development cycles, balanced against security and responsible open source management.
For more information about how Sonatype can help you meet the U.S. Army's SBOM requirements, schedule a demo with an expert today.
Written by Otis Barnes
Otis is an Army Team Lead and a Sonatype contributor for 8 years and counting.