As part of the Fulcrum IT Advancement Strategy, the Department of Defense (DoD) has declared its intention to move from a hardware-defined organization to a software-defined enterprise. This move will allow DoD to take advantage of modern technology solutions—AI, cybersecurity tools, collaboration platforms, and more—that are all built-in and designed to run via cloud rather than on hardware. With software playing an expanded and more critical role in the defense of the nation, DoD has to ensure the solutions employed to drive decisions and tactical activity are secure.
Army Requires SBOMs
A software bill of material (SBOM) is essentially a list of ingredients for technology solutions. It shows organizations all the pieces of technology that make up a particular solution. This visibility helps in identifying if any components have known vulnerabilities that could pose a risk to the larger system. A requirement for SBOMs to be part of procurement practices was laid out in the Executive Order on Improving the Nation’s Cybersecurity and agencies across government have been requesting these vendors new and old.
As of February 2025, the Army will require SBOMs for virtually all the new software the service buys or builds. The Army selected an SBOM approach over self-attestations, which are another method used to gain assurances on supply-chain security, as SBOMs provide necessary information about the risks systems can introduce to a network and can help plan an organization to mitigate those risks to the greatest extent possible.
Challenges of SBOMs
While the concept of an SBOM makes undeniable sense, their tactical creation and use can be as complicated as the software they inventory. First, there are several formats for SBOMs. Each has its own schema and capabilities, which can create compatibility issues when integrating SBOMs across different tools and platforms. This lack of a standard format means organizations must often invest in multiple tools to generate and manage SBOMs, increasing complexity and cost.
The intricate nature of software solutions themselves also makes identifying all components and dependencies a challenge. Additionally, legacy software and open-source software frequently lack the documentation needed for SBOM analysis.
The Future is Built-In SBOMs
Platform One is a cloud-based platform that provides a secure environment for software development and delivery for the DoD. With it, DoD teams can more quickly develop technology solutions and use modern development approaches in a secure manner. SBOMs are woven into the process and platform. Platform One utilizes containerized applications, and every container image hosted in Platform One’s Iron Bank (the DoD’s central container repository) must include an SBOM. With this documentation of all software components, the DoD can implement continuous monitoring to pinpoint and manage any vulnerabilities.
For more details on the implementation of SBOMs, check out these resources from GovWhitePapers and GovEvents:
- Recommendations for Software Bill of Materials (SBOM) Management (white paper) – The office of the National Manager for National Security Systems, working in collaboration with other NSA organizations, researched and tested tools that manage SBOMs as part of a Cybersecurity Supply Chain Risk Management strategy. This guidance includes important recommendations for SBOM management tool functionality derived from the research and evaluation of various SBOM management tools.
- Software Assurance in the Cyber Supply Chain Risk Management Lifecycle (white paper) – Many well-known cyber attacks have exploited vulnerabilities and weaknesses in software and within software supply chains. This issue spans both proprietary and open-source software, which impacts both private sector and government enterprises. This paper, in turn, provides best practices and recommendations to help agencies acquire secure software.
- Safe Software Deployment: How Software Manufacturers Can Ensure Reliability for Customers (white paper) – In today’s fast-paced digital landscape, software updates are essential, not only for enhancing features but also for securing systems against vulnerabilities. However, due to the complexity and constant evolution of software, deploying secure updates presents unique challenges. This guide, developed by CISA and other leading agencies, highlights best practices to help manufacturers integrate secure deployment into their software development lifecycle.
- DoD CIO Cyber Workforce Summit (March 20-21, 2025; Washington, DC) – In order to succeed in today’s environment, the Department of Defense (DoD) must remain aggressive in its innovation and development of the Digital Workforce. This two-day conference will provide a forum where DoD CIO representatives will share the latest information about supporting the Department’s cyber mission with the most capable and dominant workforce.
- Technet Cyber (May 6-8, 2025; Baltimore, MD) – This event is a platform for a whole-of-government effort to bring together the policy, strategic architecture, operations, and C2— along with the joint capabilities—needed to meet the global security challenges and successfully operate in a digital environment.
Explore GovWhitePapers and GovEvents for more insight on how SBOMs are securing DoD systems.
