Policy

Industry groups criticize ‘vague’ software supply chain amendment to House NDAA

Four tech trade bodies warn that the legislation could impose duplicative requirements on software vendors.

September 14, 2022

(Getty Images)

Industry groups have written to lawmakers, warning that software supply chain proposals included in the House version of the 2023 National Defense Authorization Act are “vague” and “internally inconsistent.”

In a letter sent to House Armed Services Committee leadership from both parties, the Alliance for Digital Innovation, the Software Alliance, Cybersecurity Coalition and the Information Technology Industry Association criticized an amendment to the defense policy that would codify a software bill of materials in the federal procurement process.

If enacted in its current form, section 6722 of the NDAA would require holders of existing covered contracts and those responding to requests for proposal from the U.S. Department of Homeland Security to provide a bill of materials, certify the items in the BOM are free of vulnerabilities or defects and identify a plan to manage any identified vulnerabilities.

Executive Director of the Alliance for Digital Innovation Ross Nodurft said: “SBOMs can be a useful part of a larger program focused on secure software development. However, the process of producing and consuming SBOMs is not mature enough for it to be codified into law at this time.”

According to the industry groups, in its current form, the amendment does not specify whether the bill of materials is limited to software or relates to all components. Risk management guidelines included in the amendment are also at odds with guidance from the Office of the Director of National Intelligence, the National Security Agency and CISA, the trade groups added.

The missive follows a White House memo published earlier today that will require vendors to self-attest their compliance with NIST software supply chain requirements before providing their services to federal agencies.

The House passed its version of the 2023 NDAA in July. The Senate is still considering its own version of the annual policy bill, after which the two chambers will look to combine them in conference before sending the final NDAA to the president.

Industry groups criticize ‘vague’ software supply chain amendment to House NDAA

More Like This

Federal CIO calls on Congress to fund Technology Modernization Fund

HHS IT draft strategy aims to connect health data with systems

DOJ seeks public input on AI use in criminal justice system

Top Stories

GSA taps TTS deputy director to take top Login.gov role next month

CISA’s chief data officer: Bias in AI models won’t be the same for every agency

Scientists must be empowered — not replaced — by AI, report to White House argues

404 page: the error sites of federal agencies

White House hopeful ‘more maturity’ of data collection will improve AI inventories

Generative AI could raise questions for federal records laws

Oracle approved to handle government secret-level data

More Scoops

Industry groups call on White House to reaffirm commitment to ‘technology neutrality’

Software bills of material face long road to adoption

Trade group calls for omnibus spending bill to include $100M for Technology Modernization Fund

Software supply chain amendment omitted from NDAA text

Trade group calls on White House to clarify cybersecurity self-attestation proposals for software providers

Pinpointing critical software key to supply chain security, says Federal Acquisition Service leader

Trade group calls on lawmakers to focus on cloud migration, cybersecurity and acquisition reform in NDAA discussions

Latest Podcasts

Industry groups criticize ‘vague’ software supply chain amendment to House NDAA

Scientists Must Be Empowered, Not Replaced by AI

Leveraging modern access management to achieve zero trust

The role of the federal chief AI officer

Tech

Defense

Cyber

Acquisition