Software supply chain amendment omitted from NDAA text

The now-excised section 6722 was earlier criticized by industry as “vague” and “internally inconsistent.”
The US Capitol in Washington, DC, on December 4, 2022. (Photo by Daniel SLIM / AFP) (Photo by DANIEL SLIM/AFP via Getty Images)

An amendment to codify a software bill of materials in the federal procurement process has been left out of the National Defense Authorization Act bill following criticism from industry.

The omitted section 6722 would have required all holders of existing covered federal contracts and those responding to requests for proposals from the U.S. Department of Homeland Security to provide a bill of materials and to certify that items in the bill of materials are free of vulnerabilities or defects.

Final text of the defense spending bill was released Tuesday evening by the House and Senate Armed Services committees. 

The amendment was left out following criticism from industry groups who in September wrote to lawmakers describing the language as “vague” and “internally inconsistent.”


In a statement, the Alliance for Digital Innovation said: “The removal of this language will benefit current Administration and industry efforts to develop a standardized approach to SBOMs across federal civilian and defense agencies.”

The trade body added: “ADI will continue to work with the Administration and Congress to implement secure software development practices, mature SBOMs, and improve the nation’s security.”

While Software Bill of Materials (SBOM) requirements are not included in the NDAA, the White House in September issued a memo requiring federal agencies to obtain self-attestation from software providers before deploying their software on government systems.

Under that guidance, federal departments must ensure that all third-party IT software deployed adheres to National Institute of Standards and Technology supply chain security requirements and get proof of conformance from vendors.

The final NDAA text also includes language to reform the FedRAMP cybersecurity program for cloud technology providers. It was included after the reform bill was hotlined in the Senate as part of an effort led by Sen. Gary Peters, D-Mich. 


The latest iteration of the Federal Risk and Authorization Management Program (FedRAMP) bill passed the House in September following a six-year battle to secure its passage led by Rep. Gerry Connolly, D-Va.

Latest Podcasts