Experts Urge Congress to Establish Clear SBOM GuidanceFederal Agencies Lack Comprehensive Guidelines for Developing SBOMs, Experts Say
Procurement experts warned in congressional testimony Wednesday that government agencies still lack a clear, comprehensive framework to develop software bills of materials and use their information to bolster cybersecurity.
The White House issued an executive order in 2021 on improving the nation's cybersecurity that required agencies to implement SBOMs when developing or procuring software. Often compared to ingredient lists for food products, SBOMs provide comprehensive information about a software product's components, dependencies and third-party libraries, and have been increasingly seen as critical cybersecurity tools in securing federal software supply chains.
While the National Telecommunications and Information Administration published guidance on the minimum elements required for SBOMs, "current and proposed government requirements leave too many unanswered questions and ambiguities," according to Roger Waldron, president of the Coalition for Government Procurement.
"Current proposals would require an SBOM and attestation for major updates to existing software," Waldron said when testifying before the House Subcommittee on Cybersecurity, Information Technology, and Government Innovation. "What is a major update? What about frequent, but small, updates? What is the role of open source and third-party software?"
Waldron recommended the government continue to seek feedback from industry on best practices around SBOM development and utilization and also establish the Cybersecurity and Infrastructure Security Agency and the Federal Acquisition Security Council as leaders in managing cybersecurity and supply chain requirements for federal contractors.
In recent years, Congress has barred federal agencies from procuring software and equipment developed by certain Chinese technology companies, including Huawei, ZTE, Hikivision, Dahua and Hytera. But reports have indicated that products, software components and services from those companies are still finding their way into the networks of critical infrastructure systems nationwide.
James Lewis, director of the strategic technologies program for the Center for Strategic and International Studies, told lawmakers that SBOMs "can let the United States identify software with Chinese elements and decide on the risks and benefits of its use."
"For U.S. government software and technology acquisitions, the risk of hostile Chinese action is almost certain," he said, adding, "Any use by federal agencies of Chinese software on devices or applications connected to the internet can provide an opportunity for access by Chinese intelligence agencies."
Agencies require clear guidelines on what should be included in their SBOMs, but they also need direction as to what information and potential vulnerabilities can be used for destructive attacks against federal networks, witnesses said.
Jamil Jaffer, executive director of the National Security Institute at George Mason University, said SBOMs can play a critical role in preventing and mitigating cybersecurity threats - but only when in the right hands.
"Once you know what's in the software, people have to do something about it," he said. "By exposing what's in a software bill of materials, it also gives our adversaries information about what to go after."