Congress takes up software supply chain security

Rep. Gerry Connolly, D-Va., suggested the Federal Information technology Acquisition Reform Act could be used for ensuring software hygine.

Rep. Gerry Connolly, D-Va., suggested the Federal Information technology Acquisition Reform Act could be used for ensuring software hygine. Tom Williams/CQ-Roll Call, Inc via Getty Images

The FITARA scorecard could become a vehicle for measuring agency progress against the administration's software security goals.

Under proposed acquisition guidelines, contractors will be required to develop and maintain software bills of materials — essentially an ingredients list covering all software used as part of a federal contract.

The purpose behind software bills of materials — or SBOMs — is to offer transparency in the event of a cybersecurity incident targeting a contractor system. The Office of Management and Budget is collecting comments on the proposed revision to the Federal Acquisition Regulation, and on Wednesday, the technology subcommittee of the House Committee on Oversight and Accountability heard from experts on the risks presented by the current software supply chain and opportunities for improvement.

Rep. Gerry Connolly, D-Va., the ranking member of the Subcommittee on Cybersecurity, Information Technology and Government Innovation, said that federal tech officials need metrics and goals built into their day-to-day operations to support improvements that work across the entire government, not individual agency, department or program silos.

"If I've learned in my agency how to protect against cyberattacks, that doesn't mean I'm gonna let you in on the secret," Connolly said. "So trying to change the culture by having metrics where you're going to be judged, and metrics that will materially improve operations and save tax dollars and allow us to be cyber-secure is kind of our goal. But you've got to create the architecture, and I have learned the hard way that in bureaucracies, you've got to create metrics people have to meet, and they've got to be meaningful metrics."

Connolly suggested that the Federal IT Acquisition Reform Act, which he co-sponsored in 2014, could be a vehicle for monitoring agency compliance with overall software hygiene.

Roger Waldron, head of the Coalition for Government Procurement, said that SBOMs are a step "in the right direction" for security, but questions remain about implementation.

He explained that government has to talk to industry to come up with a “common nomenclature” and agree on “what is actually going to be reported as part of those ingredients."

"Companies take this really seriously,” Waldron said. “It is a certification, in a certain sense. When you submit that to the federal government, you are saying ‘this is our software bill of materials,’ and the government is going to rely on that, and it creates compliance issues and risks for industry too. So they want to get it right. So the more the government and industry can talk about how to implement it more effectively — that's going to be critically important moving forward."

The proposed rules call for an industry-standard, machine-readable format for SBOMs based on standards promulgated by the National Telecommunications and Information Administration. But as Rep. Nick Langworthy, R-N.Y., pointed out at the hearing, producing an accurate SBOM is only one piece of the puzzle; another key challenge is keeping them up to date.

"Code is changed regularly, so an SBOM that is accurate one day may be wrong the next day or even later that day," Langworthy said, noting that small businesses may not "have the resources that big companies and conglomerates do" to maintain accurate bills of materials.

Jamil Jaffer, the founder and executive director of the National Security Institute at George Mason University's law school, also cautioned that publishing SBOMs is not without potential risks.

"By exposing everything that's in a bill of materials right in the software — it also gives our adversaries information about what to go after," Jaffer said.  "So there are upsides and downsides."