Industry groups have written to lawmakers, warning that software supply chain proposals included in the House version of the 2023 National Defense Authorization Act are “vague” and “internally inconsistent.”
In a letter sent to House Armed Services Committee leadership from both parties, the Alliance for Digital Innovation, the Software Alliance, Cybersecurity Coalition and the Information Technology Industry Association criticized an amendment to the defense policy that would codify a software bill of materials in the federal procurement process.
If enacted in its current form, section 6722 of the NDAA would require holders of existing covered contracts and those responding to requests for proposal from the U.S. Department of Homeland Security to provide a bill of materials, certify the items in the BOM are free of vulnerabilities or defects and identify a plan to manage any identified vulnerabilities.
Executive Director of the Alliance for Digital Innovation Ross Nodurft said: “SBOMs can be a useful part of a larger program focused on secure software development. However, the process of producing and consuming SBOMs is not mature enough for it to be codified into law at this time.”
According to the industry groups, in its current form, the amendment does not specify whether the bill of materials is limited to software or relates to all components. Risk management guidelines included in the amendment are also at odds with guidance from the Office of the Director of National Intelligence, the National Security Agency and CISA, the trade groups added.
The missive follows a White House memo published earlier today that will require vendors to self-attest their compliance with NIST software supply chain requirements before providing their services to federal agencies.
The House passed its version of the 2023 NDAA in July. The Senate is still considering its own version of the annual policy bill, after which the two chambers will look to combine them in conference before sending the final NDAA to the president.