DHS seeks automated SBOM tools for enhanced supply chain visibility

The Department of Homeland Security Science & Technology Directorate wants to encourage tech companies to develop automated software bill of materials tools offering more visibility into supply chains.

DHS S&T‘s Silicon Valley Innovation Program issued a five-year other transaction solicitation call for foundational open-source software libraries and other tools increasing the availability of trustworthy software bills of materials (SBOMs), machine-readable inventories of components and how they relate.

Many federal contractors hope SBOMs become the standard for proving government-mandated compliance with the Secure Software Development Framework. But multiple data formats exist, prompting the Cybersecurity and Infrastructure Security Agency to seek translation tools and automated SBOM generators that plug into build systems.

“Vulnerabilities in software are a key risk in cybersecurity, with known exploits being a primary path for bad actors to inflict a range of harms,” said Allan Friedman, senior advisor and strategist at CISA, in a statement. “By leveraging SBOMs as key elements of software security, we can mitigate the risk to the software supply chain and respond to new risks faster and more efficiently.”

SVIP issued the call on behalf of CISA for tools that will help secure essential communications, finance, transportation and energy services.

Other capabilities CISA is interested in are those that:

• visualize SBOM data on provenance and risk;
• plug into integrated development environment tools to highlight software dependencies, warn of vulnerabilities and provide mitigations; and
• use software identifiers to help system administrators using security incident and event management tools pinpoint and prioritize threats to the operational environment.

SVIP runs four phases with an optional fifth for further testing around new operational environments and use cases. Applicants will be submitting Phase 1 applications for $50,000 to $200,000 in funding to produce a minimum viable product (MVP) within three to nine months.

MVPs may be chosen to move to Phase 2: prototype development.

The deadline for Phase 1 applications is 3 p.m. ET, Oct. 3.

A virtual industry day will be held starting at 12:30 p.m. ET, July 14 for developers and vendors to ask questions about the solicitation and operational needs.

“DHS is committed to working with industry to develop tools and technologies that provide visibility into the software supply chain,” said Melissa Oh, managing director of SVIP, in a statement. “This topic call highlights core capabilities that will help bring transparency into the digital building blocks used by organizations in both their business operations and in their cyber defenses.”

DHS’ request for automated tools to help manage supply chain risk comes after the Department of Justice’s Office of Inspector General last week published details of a study in which it found that just two sub-agencies adhered to supply chain risk guidelines over the last six years.

Supply chain risk within federal agencies’ IT procurement processes has received enhanced scrutiny since the SolarWinds attack in 2020 during which software supply chains were used to breach cybersecurity defenses and steal information across government and the private sector.