Success would depend to a significant degree on whether agencies require vendors of information and communications technology to provide a software bill of materials with their products and services.
Legislation aimed at improving cybersecurity through open-source software—up for a vote in the Senate Homeland Security and Governmental Affairs Committee Wednesday—hinges on the extent to which federal agencies collect software bills of material, or SBOMs, from federal contractors.
The Securing Open Source Software Act of 2022 instructs the director of the Cybersecurity and Infrastructure Security Agency to assess, “open source software components used directly or indirectly by federal agencies.” The assessment should be “based on readily available, and, to the greatest extent practicable, machine readable, information, such as software bills of material that are made available to the Agency or are otherwise accessible via the internet; software inventories collected from the Continuous Diagnostics and Mitigation program of the Agency; and other publicly available information regarding open-source software components,” according to the bill text.
SBOMs are commonly compared to the list of ingredients consumers can use when deciding between food items. Proponents say, depending on the SBOM, software consumers can be similarly judicious and avoid products and services calling on libraries of code—often open-source—that may be associated with an outsized number of known vulnerabilities or other causes for concern. SBOMs were billed as a crucial feature of Executive Order 14028, which suggested federal agencies might soon require vendors of critical software to submit SBOMs as a condition for procurement.
But a recent memo the Office of Management and Budget issued for implementation of the EO said agencies “may” require SBOMs to act as evidence vendors are following the National Institute of Standards and Technology’s guidance on secure software development. And trade associations for the software industry and major providers of information and communications technology recently opposed an effort that could guide agencies toward requiring SBOMs through the National Defense Authorization Act.
A press release the chairman and ranking member of the Homeland Security Committee—authors of the open-source security legislation—issued Thursday announcing their bill did not mention SBOMs at all.
On Wednesday, the committee will also mark up S. 4828, the Governmentwide Executive Council's Administration and Performance Improvement Act. That legislation would establish a new board to streamline and deconflict efforts by governmentwide executive councils including those consisting of agencies’ chief financial officers, chief data officers and chief information officers, among others.
S. 4528, Improving Digital Identity Act of 2022, which would make grants available to incentivize state and local governments making credentials such as drivers’ licenses digitally interoperable, is also positioned to advance out of the committee Wednesday.