top of page

Mandatory SBOMs? Unpacking the US Government's Latest Contractor Guidelines



In the ever-evolving digital domain, one thing is crystal clear: the need for robust software security is at an all-time high. Recognizing this pressing need, three pivotal US government agencies – the Department of Defense (DoD), NASA, and the General Services Administration (GSA) – have ushered in a proposed rule that could revolutionize the way federal contractors view and manage software. And if you're in the contracting business, this is news you can't afford to miss.


The Rise of the SBOM

At the heart of this revolution is the Software Bill of Materials (SBOM). But what exactly is it? Think of the SBOM as a detailed inventory list for a piece of software. Whether it's an open-source tool or a proprietary system, the SBOM sheds light on every component within, right down to the nitty-gritty hierarchical relationships.


The importance of this clarity? It's a game-changer in mitigating software supply chain risks. With an SBOM, vulnerabilities become transparent, and rectifying known issues becomes a streamlined process. This forward-thinking approach isn't just a whimsical idea; it's a strategic response to President Biden's 2021 executive order focusing on strengthening incident response. The result is the new rule proposal, charmingly dubbed Cyber Threat and Incident Reporting and Information Sharing (FAR Case 2021-017).

As Aspire Cyber dives deeper into the proposal, one thing is evident: “SBOMs are not just crucial; they're indispensable for timely vulnerability identification,” as the agencies have pointed out.


Decoding the Implications

However, with every major shift come significant questions:

  1. Gathering Intel: How should the government collect SBOMs from contractors efficiently?

  2. Guarding the Treasure: What safeguards should protect the intricate data within an SBOM?

  3. Scope and Scale: How expansive should the SBOM requirements be to ensure peak security?

  4. Navigating the Challenges: What obstacles might stand in the way of SBOM development? And are there unique challenges for software resellers or even age-old legacy software?

  5. Evolving with Time: How frequently should an SBOM update? Following major releases, or even minor tweaks?

  6. Balancing the Act: Who shoulders the responsibility – the government or the contractor – in monitoring software vulnerabilities?

These questions might seem daunting, but they're essential for progress. As highlighted by Chris Hughes of Endor Labs, this initiative marks a significant pivot towards heightened transparency. The expectation? Contractors might soon demand SBOMs from all third-party software vendors.


Yet, Hughes also brings forth a critical challenge: aligning SBOMs with the National Telecommunications and Information Administration (NTIA) criteria. With many existing SBOMs falling short, the road ahead might be a tad bumpy but undoubtedly worth the effort. As he aptly puts it, the industry needs to gear up not just in terms of providing an SBOM, but also in meeting the maturity level that has, until now, been found wanting.


For businesses, especially contractors, the move towards SBOMs is more than just a compliance checklist. It's a clarion call for a safer, more transparent digital future. With potential contracts hanging in the balance, the SBOM is no longer a 'good-to-have'; it's a 'must-have.'


As these changes unfold, Aspire Cyber is committed to keeping you at the forefront. Our team, backed by industry-leading expertise, is here to guide, support, and empower your business in this transition. If navigating the SBOM waters feels overwhelming, remember: you're not alone. With Aspire Cyber by your side, you're already a step ahead.


Got SBOM queries or need assistance? Contact Aspire Cyber today – your trusted partner in the world of cybersecurity!

bottom of page