Doug Bush, assistant secretary of the Army for acquisition, logistics and technology, has signed a memorandum that directs the U.S. Army’s procurement community to start including contract language requiring vendors to produce and deliver software bills of materials, or SBOMs, for all covered computer software, Federal News Network reported Monday.
The memo signed Aug. 16 provides the Army with 90 days to work on implementation guidance for SBOMs, including sample contract language and sample data item descriptions.
Upon the guidance’s release, individual program offices will have another 90 days to incorporate SBOM contract language for covered software, including for subcontractors.
In the memo, Bush, a previous Wash100 awardee, wrote that the government has a shared responsibility when it comes to managing supply chain risks.
“Software is a subset of SCRM risk and SCRM is to be conducted on systems throughout their lifecycle. Army Directive 2024-02 (Enabling Modern Software Development and Acquisition Practices) emphasizes the Army’s reliance on software and the importance of understanding the risks systems can introduce to a network and how to mitigate those risks to the greatest extent possible,” he added.
The new policy does not include cloud services.
According to the report, the service expects to have the new rules for the SBOM contract language in place by February 2025.
In late 2022, the Army solicited industry feedback on how to collect and use SBOMs to help improve the security of its software supply chains and comply with the policies codified in the May 2021 executive order on cybersecurity.