By the beginning of 2025, the US Army plans to approve the new rules requiring the provision of detailed lists of components for the new software that will be purchased or developed. This innovation applies to both commercial software and in open source.
After almost two years of consultations with representatives of the industry, the chief specialist in the army of the Army Bush signed a memorandum ordering to include Software Bill of Materials (SBOM) in most new contracts. SBOM is a document detailing the composition of the software, which allows you to manage risks during supplies.
However, the new rule does not apply to cloud services, at least at this stage. Nevertheless, for most other software, including both custom-made and commercial and open solutions, SBOM will become mandatory.
The memorandum obliges to create a SBOM implementation guide for 90 days. Then each program will be obliged to include requirements in its purchasing contracts. The memorandum was accepted as part of the execution of Presidential Decree Joe Bayden from 2021 on cybersecurity, which, among other things, concerned the software supply chains, as well as in accordance with the calls of regulators to strengthen the safety of the development processes in state institutions.
The process of interaction with the industry began in September 2022, when the US Army asked the company to describe its approaches to identify vulnerabilities in supplies chains, and tell about the practice of using SBOM.
To introduce certification by CISA, the CISA released a form that third parties can use to self-certify their products according to safe development standards.
The US Army supports the approach to SBOM and plans to expand its application. For example, at the end of 2023, the army requested information about the possible creation of a list of materials for artificial intelligence algorithms as part of the Linchpin project, but subsequently refused to develop a formal policy on the question.
Instead, it is planned to use more simplified “models”, which have already been widely adopted in the AI