Announcing Carah-Hub: Empowering Software Producers to Comply with Army's SBOM Policy

To enhance software transparency and security, the U.S. Army issued a memo, on August 16, 2024, mandating the use of Software Bills of Materials (SBOMs) for a broad range of software used within its operations.  

This initiative represents a critical step toward fortifying the Army’s software supply chain and ensuring transparency into the components that make up its critical applications. 

This mandate requires a comprehensive SBOM upon delivery to the government and applies to all types of software— including: 

• Government-off-the-Shelf (GOTS) software developed with government funds
• Commercial software, including Commercially Off-the-Shelf (COTS) products
• Noncommercial software
• Open-source components
• Software developed by contractors, funded through Independent Research and Development (IR&D) or contractor funds 

Timelines and Requirement 

According to the memo, the mandate goes into effect in February of 2025.  The U.S. Army’s SBOM mandate includes several key requirements that software producers must be prepared to meet in order to ensure compliance. These requirements are as follows: 

1. Generate Compliant SBOMs: Software producers must be able to generate SBOMs for the SKUs they sell to US Army.  
2. Publish SBOMs: Deliver SBOMs and related documents to the Army in SPDX/CyCloneDX digital formats.
3. Analyze SBOMs: Assess Published SBOMS in accordance with the Army’s requirements including: 
   ‍
   • SPDX/CyCloneDX digital formats 
   • Meet NTIA minimum elements requirements for SBOMs 
   •  Ensure all critical and high vulnerabilities are addressed 
   • Enable uploading and sharing of Vulnerability Exploitability eXchange (VEX) data to identify vulnerabilities which are mitigated in your software. 
4. Securely Share: Software Producers must implement processes for the secure sharing of SBOMS
5. Manage SBOMS: Enable the Army to perform the collection, storage, management, and continuous monitoring of SBOMs as outlined in the Army’s codified processes.  
6. Continuous Risk Assessment and Incident Response: Producers must support and align with the Army’s processes for performing risk assessments and responding to incidents related to SBOMs. 
7. Timely and Automated SBOM Updates: Producers must periodically review and update their SBOM to reflect any changes in the ASA(ALT) SBOM requirements. 
8. Inherent Risk Detection and Remediation: Producers must actively engage with the Army in helping address risks in the software supply chain as identified in their SBOMs. 

Announcing Carah-HUB for SBOM Continuous Compliance with Government Mandates: 

With a significant rise in mandates for secure and compliant SBOM sharing with the government, in accordance with NIST C-SCRM and EO 14028, Carahsoft is committed to supporting vendors in not only generating SBOMs but also ensuring ongoing compliance.  

Carahsoft is pleased to invite all software vendors to join Carah-Hub, a joint collaboration with Lineaje Inc., the industry’s foremost provider of SBOM management solutions. Carah-Hub enables software vendors serving the US Army and other government agencies to securely publish SBOMs that are: 

What Software Producers Need to Do: 

1. Verify with your product leadership team that you have the capability to create SBOMs for the software you provide to the US Army and you can verify meeting all of the C-SCRM compliance requirements. 
2. Subscribe to Carah-Hub to publish your SBOM. Carah-Hub will review your SBOMs for compliance with the required standards. 

Next Steps:  

• Designate a team member to collaborate with the Carahsoft and Lineaje teams to ensure full compliance, send us a message to learn more. 
• Register today for the upcoming webinar on Thursday, November 21st, 2024 at 2pm EST / 11am PST