Written by Dave Nyczepir
The House passed a bill that would require the Department of Homeland Security to establish a process for identifying materials used in software to mitigate future supply chain cyber attacks.
A software nomenclature (SBOM) lists the origins of each component, and the DHS Under Secretary for Management should require them from all contractors supplying software to the department.
The bill was passed by roll-call 412-2, as lawmakers try to push DHS to modernize its software acquisition process in the wake of the SolarWinds supply chain attack that manipulated third-party components to compromise the department and eight others.
“As cyber attacks become more frequent and sophisticated, it is crucial that DHS has the ability to protect its own networks and improve its visibility into the information and communications technologies or services it purchases. Rep. Ritchie Torres, DN.Y., said in a statement after his bill passed on Wednesday. “As a federal leader in cybersecurity, DHS must lead by example by modernizing the way it protects its networks.”
The orientation that comes out of the DHS Software Supply Chain Risk Management Act would apply to new and existing contracts and would be due within 180 days of promulgation.
In addition to an SBOM, contractors should submit a certification that each software component is free from security vulnerabilities and defects, after referring to the National Vulnerability Database from the National Institute of Standards and Technology and to any other designated by the Undersecretary in coordination with Cybersecurity. and the Infrastructure Security Agency. Contractors should notify DHS if any vulnerabilities or defects were identified during the certification process, as well as their plan to address any known issues.
The DHS secretary would be responsible for directing procurement officers on how to apply the new supply chain risk management measures.
During this time, the Government Accountability Office would have one year to report on the implementation of the law, the engagement of DHS with the software industry, an assessment of the compliance of subsequent directives with the executive decree of the Biden administration on May’s cybersecurity and recommendations for improving the supply chain.
While the government has focused its efforts on supply chain attacks since the discovery of the SolarWinds breach in December, the attacks themselves remain on the rise.
“There has been an overall growth in supply chain attacks in the software industry of 650%,” Brian Reed, director of mobility at NowSecure, said in an ATARC webinar Thursday. “We have seen astronomical growth in mobile supply chain attacks, as well as standard and PC-like commercial web applications. “
The Senate on Thursday referred the bill to its Internal Security Committee.
“My bill will ensure that the department has access to prevent, detect and respond to future cyber attacks,” Torres said. “I urge my colleagues in the Senate to introduce and pass this important bill. “
-In this story-
ATARC, Cybersecurity and Infrastructure Security Agency (CISA), Cybersecurity Executive Order, Department of Homeland Security (DHS), Government Accountability Office (GAO), National Institute of Standards and Technology (NIST), NowSecure, Ritchie Torres, Senate Homeland Security and Governmental Business Commission, Software Nomenclature (SBOM), SolarWinds, Supply Chain