The U.S. Army has taken a significant step forward in securing its software supply chain. Beginning in February 2025, a new mandate requires vendors working with the Army to generate and deliver Software Bills of Materials (SBOMs) for all covered software, including commercial and government-developed systems. This move, aligned with broader federal cybersecurity initiatives, underscores the Army’s commitment to mitigating supply chain risks by providing increased transparency into the software components that power mission-critical systems. Your role as a contractor or supplier is crucial in this process.
At Vigilant Ops, we believe that this mandate reflects the growing awareness of how necessary an SBOM management platform is to an organization. Our platform, which enables organizations to manage SBOMs throughout the software development lifecycle, is designed to help companies, including those working with the Department of Defense (DoD), meet these evolving requirements seamlessly. But what exactly does this new Army SBOM mandate entail, and how can suppliers and contractors best prepare for compliance?
Understanding the New Army SBOM Mandate
The Army’s new SBOM policy, issued by the Assistant Secretary of the Army for Acquisition, Logistics, and Technology, aims to address vulnerabilities within the software supply chain. Rooted in guidance from Executive Order 14028, the policy emphasizes transparency, security, and continuous monitoring of software components. As of February 2025, any contractor developing or providing software to the Army will need to deliver an SBOM alongside their product. This includes commercially available off-the-shelf (COTS) software and any open-source or proprietary code that makes up a system.
Program Executive Offices (PEOs) and Program Managers (PMs) are required to include SBOM requirements in new contract actions, manage and store SBOMs securely, and monitor these SBOMs for vulnerabilities and risk throughout the software’s lifecycle. By integrating SBOMs into the Army’s supply chain risk management process, the policy aims to mitigate threats and enhance incident response capabilities, ensuring operational resilience in defense environments.
How Vigilant Ops Supports Army Suppliers in SBOM Compliance
Navigating these new requirements may seem daunting, but Vigilant Ops offers the tools and expertise to help contractors stay ahead. Our SBOM Lifecycle Management Platform simplifies generating, monitoring, managing, and updating SBOMs in compliance with Army and DoD regulations. Here’s how our platform can assist suppliers:
- SBOM Generation: Build Your SBOMs automatically
- Generate compliant SBOMs in support of Executive Order 14028, FDA Cybersecurity Guidance documents, and others. Utilize our platform to automate the generation of SBOMs in the CI/CD pipeline or for fielded products/systems.
- SBOM Monitoring: Find and fix urgent vulnerabilities.
- Leverage continuously updated vulnerability information consolidated from sources such as the National Vulnerability Database (NVD), and the GitHub Security Advisories (GHSA), while eliminating the worry of false positives.
- SBOM Management and Sharing: Securely share, access, and update your SBOMs.
- The Army requires vendors to not only deliver SBOMs but also store and continuously monitor them for vulnerabilities. Our platform allows for secure, scalable SBOM storage, with real-time monitoring and alerts for any vulnerabilities discovered in software components, ensuring contractors can respond to threats quickly and efficiently. Customers are able to assess their entire technology portfolio in seconds when a new vulnerability is discovered. View, manage, and organize all your SBOMs in a single platform from your central dashboard.
- SBOM Compliance and Reporting: Fastest way to automate the generation of compliant SBOM documentation and complete audit trails.
- Vigilant Ops provides built-in reporting features, ensuring suppliers can easily demonstrate compliance with SBOM mandates. From monitoring plans to patch velocity to defect density, our platform has you covered.
The Importance of SBOMs in Defense Supply Chain Security
The increased reliance on SBOMs reflects the evolving nature of current cybersecurity threats. Understanding and mitigating the risks introduced by third-party software components is essential. SBOMs provide a proactive view of the software supply chain, allowing for proactive vulnerability management and incident response.
Ken Zalevsky, Vigilant Ops CEO, highlights the importance of this shift: “The Army’s SBOM mandate plays a vital role in securing the software supply chain for mission-critical systems. At Vigilant Ops, we are proud to equip suppliers with the tools they need to efficiently manage SBOMs and stay ahead of compliance demands. This mandate is more than a policy shift; it’s about safeguarding the integrity of software that underpins the nation’s defense infrastructure.”
Preparing for the February 2025 Deadline
For contractors and suppliers working with the Army, preparation for the February 2025 SBOM mandate must begin now. The deadline is approaching, and it’s crucial to start preparing. Vigilant Ops is ready to partner with vendors to streamline the adoption of SBOM practices and ensure compliance with the Army’s evolving security standards. With automated generation, secure storage, and continuous monitoring capabilities, our platform offers a comprehensive solution for managing SBOMs at scale.
As the Army sets new standards for software transparency, Vigilant Ops remains at the forefront, empowering organizations to meet these requirements and secure their place in future defense contracts. By embracing SBOMs today, suppliers can achieve compliance and enhance their security posture.
Contact us to learn more about how Vigilant Ops can help your organization comply with the Army’s new SBOM requirements and ensure the security of your own software supply chain.
Sources:
- Assistant Secretary of the Army Memorandum, “Software Bill of Materials Policy,” 2024
- Executive Order 14028 (Improving the Nation’s Cybersecurity), 2021
