House passes bill to address software supply chain risk at DHS
The House passed a bill that would require the Department of Homeland Security to establish a process for identifying materials used in software to mitigate future supply-chain cyberattacks.
A software bill of materials (SBOM) lists the origins of every component, and the DHS under secretary for management would be expected to require them of all contractors furnishing software to the department.
The bill passed 412-2 by roll call vote, as lawmakers attempt to push DHS to modernize its software acquisition process in the wake of the SolarWinds supply-chain attack that manipulated third-party components to compromise the department and eight others.
“As cyberattacks become increasingly frequent and sophisticated, it is crucial that DHS has the capacity to protect its own networks and enhance its visibility into information and communications tech or services that it buys,” said Rep. Ritchie Torres, D-N.Y., in a statement after his bill passed Wednesday. “As a federal leader in the cybersecurity space, DHS must set an example by modernizing how it protects its networks.”
The guidance that comes out of the DHS Software Supply Chain Risk Management Act would apply to new and existing contracts and be due within 180 days of enactment.
Aside from an SBOM, contractors would be expected to submit a certification that every software component is security vulnerability and defect free, after referring to the National Institute of Standards and Technology‘s National Vulnerability Database and any others designated by the under secretary in coordination with the Cybersecurity and Infrastructure Security Agency. Contractors would have to notify DHS if vulnerabilities or defects were identified during the certification process, as well as of their plan to address any known issue.
The DHS secretary would be on the hook for directing contracting officers on how to enforce the new supply chain risk management measures.
Meanwhile the Government Accountability Office would have a year to report on the act’s implementation, DHS engagement with the software industry, an assessment of how subsequent guidance complies with the Biden administration’s May cybersecurity executive order, and recommendations for supply chain improvements.
While the government has focused its efforts on supply-chain attacks since the SolarWinds breach was discovered in December, the attacks themselves remain on the rise.
“There’s been a general growth of supply-chain attacks in the software industry of 650%,” said Brian Reed, chief mobility officer at NowSecure, during an ATARC webinar Thursday. “We have seen an astronomical growth in mobile supply chain attacks, along with standard commercial web and PC-type applications as well.”
The Senate referred the bill to its Homeland Security Committee on Thursday.
“My bill will ensure that the department has access to prevent, detect and respond to future cyberattacks,” Torres said. “I urge my colleagues in the Senate to bring up and pass this important piece of legislation.”
