SBOM is (still) coming: Examining the Proposed FAR Amendments

Last week, the Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA) took a significant step forward when they issued proposed amendments to the Federal Acquisition Regulation (FAR). These proposed changes, grounded in Executive Order (E.O.) 14028 and open for comment until December 4, 2023, would impose SBOMs as an explicit requirement for software purchased through federal contracts.

While SBOMs do not represent a complete solution to the Government's ever-expanding cyber threatscape, the intent of the changes is to enhance the security of Government networks and promote cybersecurity collaboration between the Government and its contractors.

What's prompting the proposed FAR amendments? 

Recent major cybersecurity incidents, such as the data breaches involving SolarWinds, Microsoft Exchange, and Colonial Pipeline, make clear the pressing need for robust cybersecurity measures. These events underscore the necessity for modernizing and strengthening our cybersecurity framework in the face of threats from both cyber criminals and nation-state actors.

What the FAR amendments mean for SBOM

 A significant component of the proposed amendments would require government contractors to develop and maintain a Software Bill of Materials (SBOM) for software sold to the federal government. 

SBOMs, as formal records detailing the components used in software development, play a crucial role in incident response, enabling prompt identification of vulnerabilities. They can also evidence transparency within the software development process and a vendor's commitment to secure development practices.

However, the introduction of SBOMs raises several pertinent questions:

• Protection & Collection: What safeguards should be in place to protect the data within SBOMs? Some software producers worry that SBOMs could provide a leg-up to malicious actors in selecting targets and shaping attacks.
• Scope: To ensure appropriate security, we must determine the right balance in the depth and breadth of information within SBOMs. 
• Challenges: As with any change, challenges exist, especially for software resellers and in relation to legacy software. For this initiative to succeed, we must address these challenges head-on.
• Updates: Software is not static. SBOM Management becomes critical in order to get updates, particularly after major releases or new builds.

The DoD, GSA, and NASA, in acknowledging the potential effects of this new SBOM requirement, have put forth similar questions as part of the notice-and-comment process to collect input from interested parties through December 4, 2023. 

The FAR amendments - Beyond SBOM

The proposed rule isn't solely about SBOMs. It requires contractors to subscribe to the automated indicator sharing (AIS) capability and share cyber threat indicators. Such measures, although potentially demanding on contractors, reflect a holistic approach to cybersecurity, ensuring both proactive and reactive mechanisms are in place.

What could the FAR amendments mean for contractors?

These proposed changes underscore the significance the federal government places on cybersecurity. Compliance with the new requirements, once finalized, could determine eligibility (and be a requirement for payment) under Government contracts. This new regime signifies that cybersecurity is no longer just an IT concern — it's a business imperative.

For both government and private sector, the looming threat of cybersecurity incidents has become a fact of life and business. Though it hardly represents a complete solution, the SBOM has become something of a proxy for security - acting both as a measure of transparency and an indication of a commitment to secure software development practices.

For some, this may be an unwelcome and burdensome requirement, but there is no denying that developing and leveraging SBOMs is quickly becoming a common requirement, and government is leading the way

While we will have to wait for the final rule to see exactly how this particular requirement takes shape, the handwriting is very clearly on the wall (or at least in the Federal Register).