DHS, CISA solicit input on SBOM tools for enhanced software supply chain visibility

The Department of Homeland Security (DHS) Science and Technology Directorate (S&T) and the Cybersecurity and Infrastructure Security Agency (CISA) have sought inputs that address weaknesses in software, a key component of critical infrastructure systems. The collaboration is also looking for technology that will enable stakeholder visibility into software supply chains and new risk assessment capabilities due to the growing fact that cyber-attacks can lead to outages or damage to safety and life-critical systems.

The S&T’s Silicon Valley Innovation Program (SVIP) call seeks technical capabilities that could serve the mission needs of one or more DHS Operational Components and Programs, including the CISA. The topic call is looking for technology to strengthen the assurance of the software supply chain essential to protecting software and software-controlled systems. This can be done partly through the development of tools that enable stakeholder visibility into software supply chains and new risk assessment capabilities.

The solicitation deadline has been set at noon PT on Oct. 3, 2022. In addition, a virtual Industry Day is set for July 14, 2022, between 9:30 and 11:30 AM PT for technology developers and vendors to discuss the solicitation and operational needs. 

“DHS is committed to working with industry to develop tools and technologies that provide visibility into the software supply chain,” Melissa Oh, SVIP managing director, said in a statement. “This topic call highlights core capabilities that will help bring transparency into the digital building blocks used by organizations in both their business operations and in their cyber defenses.”

“Vulnerabilities in software are a key risk in cybersecurity, with known exploits being a primary path for bad actors to inflict a range of harms,” Allan Friedman, CISA senior advisor and strategist, said. “By leveraging SBOMs as key elements of software security, we can mitigate the risk to the software supply chain and respond to new risks faster and more efficiently.”  

As part of the Software Supply Chain Visibility Tools topic call, S&T’s SVIP is seeking technical capabilities to help CISA secure the digital frameworks that individuals and organizations rely on for essential services, including communications, finance, transportation, and energy. This will help improve the transparency of the software supply chain as a key component to help ensure the security of critical infrastructure systems. 

The U.S. DHS is committed to using cutting-edge technologies and scientific talent in its quest to make America safer. SVIP, on behalf of DHS Operational Components, invests in startup companies with viable technologies suitable for rapid prototyping projects from across the nation and around the world. The aim is to adapt, develop, and harness advanced capabilities that are commercially sustainable while simultaneously meeting the needs of DHS Operational Components and Programs.

Applications must be submitted through the SVIP web portal and will not be accepted by email. These applications must align to the first technical topic area (TTA) and one or more of the additional TTAs. In addition, the foundational open-source libraries in a multi-format SBOM (Software Bill of Materials) translator and software component identifier translator are required. 

SBOMs are formal, machine-readable inventory of software components and dependencies, information about those components, and their hierarchical relationships. Tools that support the wide availability of trustworthy SBOMs can enable stakeholder visibility into software supply chains and new risk assessment capabilities.   

As part of the multi-format SBOM translator, the library must be capable of reading, translating between, and writing, at a minimum, the core SBOM fields of the common SBOM data formats, including Software Package Data Exchange (SPDX), Software Identification (SWID) Tags, and CycloneDX. In addition, translation among additional SBOM data formats is welcome. 

For the Software Component Identifier Translator, the library must be capable of mapping identifiers of software components across the following identification systems. At a minimum, they should be able to map across Common Platform Enumeration (CPE), SWID Tags, Package URLs (purls), and SoftWare Heritage persistent Identifiers (SWHIDs). Furthermore, translation among additional software component identification systems is welcome.

The CISA said that given the foundational nature of this TTA, and to reduce duplication of effort, companies awarded under this Call must work together as a cohort in a public and transparent manner. “The ability to accept and incorporate public technical community input and feedback is required to ensure that these open-source libraries will be broadly useful to the global technical community,” it added.

Additionally, the application must include automated SBOM generation details, SBOM Enabled Vulnerability Visualization, SBOM Enabled Interactive Development Environment (IDE) Plug-in, and SBOM Enabled Security Incident and Event Management (SIEM) Plug-in. DHS seeks a visualization capability that can access and read SBOMs in various data formats, link that information with external records of vulnerabilities and severity information from trusted sources, and provide information on available patches and mitigations.

The DHS seeks to develop SBOM-enabled IDE Plug-ins that will allow a software developer to read and visualize SBOM information and links to Common Vulnerabilities and Exposures (CVEs) or other records of vulnerabilities associated with the function, library, and related code. It also aims to develop information identifying severity, susceptibility conditions, and information about available patches and mitigations. The add-in should support the open-source versions of the two most popular IDEs by market share and may support other IDEs.

For the project, DHS S&T anticipates making Phase 1 awards of US$50,000 to $200,000 in funding for each award, with an estimated period of performance of 3 to 9 months. Successful projects will be eligible for subsequent phases of funding with a ceiling range between $50,000-$500,000 per phase (or in total $200,000-$1,700,000 for Phases 1-4) and duration to be approximately six to nine months per phase. The ceilings of the subsequent phases are based on multiple factors such as DHS needs and available funds, DHS will provide the specific phase 2-4 ceiling amounts for this topic during the phase 2- 4 invitation process.

Additionally, Phase 5 may be awarded if the government determines that further operational testing is required, and/or the technology is applicable in additional DHS use cases. Phase 5 OTAs will be scaled to fit the mission need/requirement in both cost and length of time and are not restricted by the ceilings of the previous four phases.

CISA said that the project phase awards are dependent on progress made by the applicant, DHS needs, and availability of funds. “In order to receive consideration for subsequent Phases, applicants shall be invited by the Government to submit an application for each Phase. The Government reserves the right to not make subsequent Phase awards,” it added.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.