On July 28, Congressman Ritchie Torres’ bill that would require the Department of Homeland Security (DHS) to develop guidelines for identifying materials used in software development passed the House Homeland Security Committee by unanimous consent.
The legislation, DHS Software Supply Chain Risk Management Act of 2021 (H.R. 4611) , directs DHS to modernize its information and communication technology or services acquisitions process by requiring the Under Secretary for Management to issue Department-wide guidance to require DHS contractors to submit software bills of materials (SBOM) that identify the origins of each component of the software furnished to DHS.
“As cyberattacks become increasingly more frequent and sophisticated, it is crucial that DHS has the ability to protect its own networks and enhance its visibility into information and communications technology or services that it procures,” Torres said. “My bipartisan bill will ensure that the Department has access to prevent, detect and respond to future cyber-attacks by ensuring that software procured by DHS is uniform and compliant with security standards. I am proud to work with my colleagues on the Homeland Security Committee to provide the Department of Homeland Security with the best tools to defend its networks.”
This comes as the SolarWinds cyber espionage campaign highlighted how bad actors can manipulate third-party components in the software supply chain for information and communications technology or services (ICT(S)) used by the federal government. This was one of seven other events in the last decade in which software supply chains were compromised. This bill seeks to strengthen the department’s capacity to identify and address risks involved in the software supply chain.
The DHS Software Supply Chain Risk Management Act is an important step in strengthening the relationship and information sharing between DHS and industry partners. The bill follows guidance from President Biden’s May Executive Order to enhance the security of the federal government’s supply chain and building security of software systems. The security and integrity of software bought by DHS is integral to homeland security. This legislation will allow DHS to have better insight into the software supply chain to effectively manage potential threats.