Industry coalition urges lawmakers to drop SBOM procurement requirement from major defense bill

By Sara Friedman / November 28, 2022

A coalition of industry groups is urging congressional leaders to remove a provision in the Senate version of the fiscal year 2023 defense authorization bill that would direct the Defense Department to require a Software Bill of Materials from defense contractors.

“SBOMs are expected to help organizations reduce cyber risk, but they will need processes, tools, and standards to translate SBOMs into improved cybersecurity outcomes. Governments, industry, and other stakeholders are already working to develop these processes, tools, and standards -- efforts that are progressing at an impressive pace,” the coalition led by the U.S. Chamber of Commerce said in a Nov. 22 letter.

The letter says, “The most constructive step Congress can take to help SBOMs deliver their anticipated benefits is to support this ongoing work and ensure that future laws requiring SBOMs are harmonized across the U.S. government.”

The letter was sent to Senate Armed Services Committee Chairman Jack Reed (D-RI) and Ranking Member James Inhofe (R-OK). The coalition includes the Chamber, Alliance for Digital Innovation, BSA-The Software Alliance, Center for Procurement Advocacy and the Cybersecurity Coalition.

The industry groups ask the Armed Services leaders to hold the legislation “until a later date” to allow the “many executive branch activities related to SBOMs to mature the ecosystem.”

The letter lays out four arguments for delaying the implementation of SBOM legislation.

First, the coalition points to the Cyber Safety Review Board’s report on the Log4j software vulnerability, which they say, “highlights the need for greater maturity around the development of SBOMs before they are written into law.”

Second, they write, “Congress and the administration are taking an uncoordinated approach to policymaking on SBOMs at a time when there is a growing consensus in favor of harmonizing federal cybersecurity requirements.” They note that the House has taken a different approach in its version of the FY-23 defense policy bill by requiring SBOMs for Department of Homeland Security contracts.

The coalition says, “Modern software is highly interconnected, so taking disparate approaches to SBOM policymaking would further complicate an already complex, emerging environment. This is especially important regarding evolving standards and best practices for managing the risk-based communication of SBOMs and the handling of and disclosure of software vulnerabilities.”

The third point is an argument on how SBOM legislation “would get ahead of federal policies,” emphasizing ongoing work on securing software under the 2021 cyber executive order.

Under the EO, the Office of Management and Budget issued a Sept. 14 memorandum that sets a self-attestation security policy for software purchased by federal agencies using the National Institute of Standards and Technology's Secure Software Development Framework. NIST released the SSDF in February along with a guidance on how to use the publication from a software purchaser viewpoint in the context of federal procurement.

The coalition says OMB is “allowing agencies to request SBOMs based on the comparatively undefined guidance” in the National Telecommunications and Information Administration’s minimum elements for an SBOM report.

“OMB’s approach reflects a comprehensive government-wide approach that is preferable to congressional mandates directed at one agency that risk prematurely locking in technical and operational approaches for the foreseeable future. Left unchecked, these varying mandates can be expected to conflict in design and execution,” the letter says.

It continues, “Our associations believe that DOD should study the usefulness and suitability of acquiring an SBOM for noncommercial, commercial, and open-source software.”

The final argument pushes against an analogy from some stakeholders comparing SBOM “to a list of ingredients on a food package,” which the letter says is “misleading.”

The letter says, “The ingredients of packaged food do not change after they are produced, whereas most software continues to evolve and change throughout its lifecycle. Given the changing nature of software and the cybersecurity ecosystem in which it operates, overly simplistic analogies do a disservice to the broad and complex nature of formats, procedures, uniformity, and protections that are needed to make SBOMs manageable at scale.”

The coalition also wants requirements on patching to be aligned with industry best practices and international standards for coordinated vulnerability disclosure. The letter refers to International Standards Organization and International Electrotechnical Commission standards 30111 and 29147 as examples.