White House Guidance Recommends SBOMs for Federal Agencies

The Biden White House has released a new cybersecurity executive order outlining guidelines for software supply chain security, including the suggestion that federal agency CIOs start requiring documentation of secure development and software bills of materials (SBOMs).

In a memo sent to the heads of executive departments and agencies, the White House Office of Management and Budget outlines supply chain cybersecurity best practices established by the National Institute of Standards and Technology (NIST), which would recommend a full software inventory assessment, collecting statements from each outside software vendor that its products conform to the NIST supply chain security framework, and a requirement for SBOMs when purchasing new software.

“As agencies develop requirements that include the use of new software, they must request confirmation that the software producer utilizes secure software development practices,” the OMB memo said. “This could be accomplished through specification of these requirements in the Request for Proposal (RFP) or other solicitation documents, but regardless of how the agency ensures compliance, the agency must ensure that the company implements and attests to the use of secure software development practices consistent with NIST Guidance, throughout the software development lifecycle.”