Tech-sector trade group Alliance for Digital Innovation (ADI) sent a letter to the House and Senate Armed Services committees on Oct. 20 asking lawmakers to reconsider a provision in the forthcoming national defense policy bill that would require vendors to provide a software bill of materials (SBOM) on the technology they provide government agencies.
ADI sent a similar letter last month calling on Congress to remove from the 2023 National Defense Authorization Act (NDAA) language that would require contractors to certify their software is free of vulnerabilities or present a plan to fix it.
“While ADI supports both Committees’ focus on strengthening supply chain security, including software supply chain security,” the letter continued, “we do not support certain provisions related to SBOM.”
“ADI and other trade associations have urged Congress to remove the SBOM language from the NDAA and give industry and agencies more time to develop solutions that will better secure the country’s cybersecurity supply chain,” the letter reads.
The trade group – which counts as members tech behemoths such as Amazon Web Services and Google Cloud – argued that SBOMs will not achieve the desired utility for agencies at this point due to a lack of standardization. Before including this language in the NDAA, they said, it needs to be matured.
The Senate Armed Services Committee approved the military spending bill on June 16, and the action on the bill formally opened on the Senate floor – modified with 75 amendments – on Oct. 11. However, a final vote on the bill is unlikely to occur until after the midterms.
Industry Group Support for Cyber-Loaded NDAA
As the House and Senate work toward enacting the NDAA for this fiscal year, ADI also expressed its support for key priorities in five areas including cloud migration, cybersecurity, and the workforce.
The group applauded the House for passing a bill that will require the Department of Defense (DoD) to produce a study on costs associated with underperforming software and information technology.
“The results of this study will assist the military departments and the other information technology leaders across the DoD to better identify systems, processes, and workloads that should be moved to more modern, cloud-based environments,” ADI wrote.
The group also recommended inclusion in the NDAA of the Federal Risk and Authorization Management Program (FedRAMP) Authorization Act of 2022 as well as the Federal Information Security and Modernization Act of 2022 (FISMA) – legislation, they argue, that will provide support to programs and offices and drive compliance across the Federal government.
“We believe the FedRAMP program has provided a strong security foundation for the Federal government, and it could continue to thrive with formal Congressional authorization and additional authorized funding for its operations,” ADI wrote.
“FISMA improves government security and promotes adoption of modern, cloud-based commercial security solutions that are the foundation of zero trust environments,” ADI said.
The grade group also expressed support for investments in “training, educating, and retaining the cybersecurity workforce.”
ADI concluded the letter saying lawmakers should prioritize commercial and private partnerships to ensure the government has access to essential modern technology like machine learning, artificial intelligence, and quantum computing.
“ADI encourages members to continue supporting public-private partnerships and to include commercial innovation as the bedrock for future development,” the group wrote.
“Enabling the warfighters and enterprise mission owners to partner with commercial companies and then use the buying power of the government to invest in the fruits of the shared research and development will allow the United States to maintain its technological edge throughout this century and beyond,” ADI said.