The Centers for Medicare and Medicaid Services’ plan to implement President Joe Biden’s executive order on software procurement will require more than the bare minimum from contractors.
The executive order will require agencies to obtain a software bill of materials—typically described as an ingredients list of the code libraries that make up a particular application—from vendors. But not all SBOM standards are created equal. Leading standards for their formulation include SWID (Software Identification), SPDX (Software Package Data Exchange), and Cyclone DX, and some only require basic licensing or version information. Proponents say gathering even that superficial information is an important first step while others argue realizing the full security potential of SBOMs would require revealing deeper levels of the software supply chain.
Health Agency CISO Looks to Increase Security in Software Transparency Requirements – Nextgov
