Summer Myatt
Software Bills of Materials, commonly referred to as SBOMs, have emerged in the last decade as a measure to ensure software security, transparency and integrity while protecting buyers from potential bugs and vulnerabilities. But how exactly are they being used to enhance cybersecurity across the Department of Defense?
“SBOMs are critical from a software supply chain perspective for a lot of reasons. Primarily, open source code is great, but we don’t know who contributed, so needing to be very clear on the providence of that code and the integrity of it is critical for cybersecurity of software,” said Jennifer Swanson, deputy assistant secretary of the Army for Data, Engineering and Software, during a panel at the ExecutiveBiz Defense Software Modernization Forum last week.
According to Swanson, the Army began requiring SBOMs from their industry partners in the fall of 2022, and the service is moving forward on that effort. But now, the challenge the Army faces is how to most effectively use SBOM data to increase cybersecurity across the enterprise.
Interested in how the Army is driving modernization? Join the 8th Annual Army Summit hosted by the Potomac Officers Club on Aug. 1 to hear insights from top Army officials and decision makers. Register here.
“We have developed draft SBOM contract language — that’s the easy part. The harder part is what do we do when we have an SBOM? When we get SBOMs, fantastic! Now what?” Swanson posed to the virtual audience.
Kevin Twibell, chief information security officer for the DOD’s Platform One, agreed with his fellow panelist that SBOMs are valuable, but they are really just the tip of the iceberg for really harnessing and understanding an organization’s software.
“There’s a lot of legwork that has to be done with [SBOMs],” said Twibell. “Where is it going? Where is it coming from? How do we validate what was constructed and where it was constructed? Just because you have an SBOM doesn’t mean that you’re getting the full sight picture of what you have.”
Swanson noted that the Army has spent considerable time in the last six months ensuring that they’re asking industry for “the right thing” when it comes to SBOMs and preparing for the next phases of SBOM usage within the service. The Army has set up an SBOM repository, which Swanson cites as “step one,” and now, the service is working to provide an SBOM-as-a-service capability to project managers.
“This SBOM-as-a-service would be something that would enable searching of those SBOMs to make sure that they map, as well as the capability to search through those SBOMs for vulnerabilities. And when we are notified of critical vulnerabilities, we will have a much faster, easier way to figure out who it affects,” explained Swanson.
While properly utilizing SBOMs is a major area of focus for DOD leaders, it’s not the only element of software modernization that needs attention. Collaboration between software factories and military services is essential for achieving the speed of software development and deployment required both on and off the battlefield in today’s evolving defense landscape, panelists agreed.
“One of the biggest hurdles going forward is the understanding that software factories are kind of siloed because they feel that they have a unique mission. But we’re all fighting towards the same thing. We all want to modernize, we all want to do it swiftly and securely, but we need to collaborate. We need to come together and exchange ideas and what works, what doesn’t, and be able to bring the community along with us,” said Twibell.
Lt. Col. Jachin Sakamoto, agile space operations software branch chief for AFRL/RVSX within the Department Of The Air Force, pointed to collaboration opportunities provided by the Software Working Group Coalition as invaluable tools for sharing knowledge, advice and lessons learned between defense software personnel.
The group meets a few times a year, and Lt. Col. Sakamoto said these gatherings “foster that cross flow of information among all the factories and across all the services.” According to Sakamoto, the next meeting will be held in September 2023.
Overall, software modernization efforts are picking up speed in the U.S. as the urgency behind the need is continually fueled by adversarial activities around the world. Lauren Pavlik, chief of data and software services for the Army’s Enterprise Cloud Management Agency, said software is all about “how we deliver more capability faster to our soldiers and ensure that we can beat our near peer adversaries.”
“When there’s new capabilities that [adversaries] bring to the battlefield that we didn’t know they had, we’re able to quickly iterate on that and provide even better capabilities to our soldiers fast” if we can get the software piece of our defense capabilities right, Pavlik said.
