In May of 2021, the Biden Administration issued a new and aggressive mandate to all government agencies to ratchet up cybersecurity. As a result, we can expect to see an SBOM requirement for all software developers doing business with the Federal Government.

EO 14028, The Executive Order Improving the Nation’s Cybersecurity, is a broad and far-reaching order that puts both the public sector, and all private contractors it employs, on notice to do better. The EO defines eight areas where the government needs to tighten up its protocols, and lays out a timeline for achieving those ends over the next two years.

The Federal Government works with literally thousands of private companies to develop software solutions. Together, these developers create the software infrastructure that powers our civic life. But, outsourcing this work means the government has less control over the development process. The current system lacks transparency and accountability. 

Last week, the Administration issued further direction regarding Section 4. of the Executive Order, which specifically addresses the software supply chain. The recent guidance is entitled The Memorandum For the Heads of Executive Departments and Agencies regarding Enhancing the Security of the Software Supply Chain through Secure Software Development Practices.  It calls on Federal Agencies to hold contractors accountable for showing their work and disclosing all the “ingredients” that comprise their software. 

Going forward, Agency Chief Information Officers (CIOs) and Chief Acquisition Officers (CAOs) must require all software developers to “self-attest” to the security of their products. That means they need to be accountable for all the components of the software package, ensuring there’s no vulnerabilities for attackers to exploit. Self-attestation can be a long and tedious process, so the Executive Order also allows developers to hire a certified FedRAMP Third Party contractor to perform the audit.

The Memorandum also suggests that the Agencies obtain a Software Bill of Materials (SBOMs) from software producers, to ensure secure development practices. An SBOM is an inventory of components and software dependencies involved in the development and delivery of an application. Going forward, the Memorandum notes that agencies may want to require an SBOM during the Request for Proposal (RFP) process, to ensure the vendors bidding on a contract can attest to the security of their product. The SBOM needs to be retained by the Agency, or posted to a repository the Agency (but not the public) can access. The SBOM Requirement from the Federal Government now has a timeframe that is approaching.

The Memorandum acknowledges that these requirements are a new way of doing business. It will take significant planning and a shift in mindset for the Agencies to adapt. It provides a timeline for the Agencies to implement these new safety measures. 

Within the next two years, we can expect a major shift towards transparency and accountability across the software supply chain. SBOMs will be a key part of this transition. The private sector has been focused on shifting left and integrating security into the development cycle for a number of years, and the public sector is now working hard to catch up. 

Vulnerability scanning requirements are coming soon

All software developers and solutions providers that do business with the Federal Government will soon be required to scan and remediate for vulnerabilities, and stand behind the provenance of their software. The culture is shifting towards requiring SBOMs from all software developers. The time to take action is now. View the timeline for implementation here.

About SOOS

SOOS is the easy-to-integrate software security solution for your whole team. Catch and fix open source vulnerabilities on every build. Manage licenses and generate SBOMs. Scan your web apps and APIs. Get started today with SOOS SCA & DAST for one low monthly price. Try us out with a 30-day free trial.