As part of the response to recent hacks, the United States House of Representatives voted on and passed the DHS Software Supply Chain Risk Management Act of 2021 on October 20, 2021, by a vote of 412-2. The Act covers both new and existing contracts with the Department of Homeland Security (DHS).
As a Condition on the Award of Contracts
Contractors must submit a bill of materials, defined in this Act as “a list of the parts and components (whether new or reused) of an end product or service, including, with respect to each part and component, information relating to the origin, composition, integrity, and any other information as determined appropriate by the Under Secretary.”
Continuous SBOM Updates Required
As information in the SBOM changes, contractors are required to submit updates to SBOMs. “…in the case of a change to the information included in a bill of materials…each contractor shall submit…the update to such bill of materials, in a timely manner.”
SBOMs Certified Using the National Vulnerability Database (NVD)
Items listed on the bill of materials must be “…free from all known vulnerabilities or defects affecting the security of the end product or service identified in the National Institute of Standards and Technology National Vulnerability Database…”. In other words, product risk analysis must include investigation into component vulnerabilities and their potential impact on the security of the product and software supply chain risk.
