As part of the response to recent hacks, the United States House of Representatives voted on and passed the DHS Software Supply Chain Risk Management Act of 2021 on October 20, 2021, by a vote of 412-2. The Act covers both new and existing contracts with the Department of Homeland Security (DHS).
Contractors must submit a bill of materials, defined in this Act as “a list of the parts and components (whether new or reused) of an end product or service, including, with respect to each part and component, information relating to the origin, composition, integrity, and any other information as determined appropriate by the Under Secretary.”
As information in the SBOM changes, contractors are required to submit updates to SBOMs. “…in the case of a change to the information included in a bill of materials…each contractor shall submit…the update to such bill of materials, in a timely manner.”
Items listed on the bill of materials must be “…free from all known vulnerabilities or defects affecting the security of the end product or service identified in the National Institute of Standards and Technology National Vulnerability Database…”. In other words, product risk analysis must include investigation into component vulnerabilities and their potential impact on the security of the product and software supply chain risk.
Founded in 2019, Vigilant Ops is an innovator in the medical device cybersecurity industry. Led by seasoned medical device cybersecurity experts with more than forty years of combined experience, Vigilant Ops provides medical device manufacturers and hospitals with unprecedented insight into device risk profiles, enabling proactive management of threats before they impact the quality of patient care.