The Alliance for Digital Innovation, BSA | The Software Alliance, Cybersecurity Coalition, and Information Technology Industry Association sent a letter to leadership of the Senate Armed Services Committee, Senate Homeland Security & Governmental Affairs Committee, House Armed Services Committee, and House Committee on Homeland Security to express concerns about requirements in the recently passed House of Representatives National Defense Authorization Act (NDAA) Section 6722, “DHS Software Supply Chain Risk Management.” The requirements in this section jump ahead of in-progress administration and industry efforts by requiring holders of existing covered contracts and those responding to requests for proposal (RFP) from the U.S. Department of Homeland Security to provide a bill of materials (BOM), certify the items in the BOM are free of vulnerabilities or defects, and identify a plan to mitigate any identified vulnerabilities. The letter strongly urges the Senate Armed Services Committee and the Senate Homeland Security and Governmental Affairs Committee to remove the SBOM language from the NDAA and give industry and agencies more time to develop solutions that will better secure the country’s cybersecurity supply chain.
