This blog post is part 2 of a series examining the use of SBOMs in Defense.  In part 1, I wrote about the policies and deadlines relating to the adoption and collection of SBOMs in the Army.  In this blog post, I’ll highlight real-world use cases for SBOMs across critical Army programs and technology platforms. 

Looking for Part One? Read "The New Forcing Function to Sustain Our National Security: SBOMs" Now!

PEO Aviation maintains a vast portfolio of aircraft platforms managed across (9) project offices, including the CH-47F Chinook, UH/HH-60M Black Hawk, UH-72A/B Lakota, and AH-64 Apache. These platforms are developed, delivered, and sustained by a handful of prime contractors, hundreds of their subcontractors, and thousands of third parties.    

Critical software runs systems for avionics, communications, data management, imaging, power, electronic warfare (EW), targeting, radar, and command and control (C2) in each aircraft platform, just to name a few. Having a Software Bill of Material (SBOM) for each software package onboard every aviation platform won’t secure these systems alone, but having them available as the “ingredients list” is the first step in improving HOW they should be secured.    

Relevant Visibility and Risk Alerting Start with SBOMs 

A catalog of SBOMs for all these systems would act as the genetic baseline of software components and the companies behind them, which ultimately would provide:  

  • Automated discovery and alerting of new and existing vulnerabilities across all fielded aircraft platforms, their systems, and components   
  • Traceability of component vulnerabilities to OEM suppliers   
  • Effective screening and monitoring of aviation systems for open-source dependencies and the presence of foreign code, particularly adversarial contributions (i.e., China, Russia, Iran, etc.)  
  • Mapping software component dependencies to measure cyber-attack surfaces  
  • Prioritization of vulnerability mitigation based on component function and criticality to other systems  
  • Visibility of common software components being used across every aviation platform   
  • Continuous monitoring of Risk Management Framework (RMF) and automating manual procedures for continuous authority to operate (cATO) 

Where to Start: Army Organizations Who Should Prioritize to Leverage SBOMs Immediately 

All these provisions enable a proactive approach to continuously managing risk in the software supply chain and should be applied to every critical DoD weapons platform and national security system.  The benefits of analyzing SBOMs in the PEO Aviation example are repeatable across every major Army program, including, but not limited to;   

  • Army Enterprise Data Centers  at Fort Carson, Schofield Barracks, Fort Knox, Radford, Grafenwoehr (GE), Kaiserslautern (GE), Camp Zama (JP), Redstone Arsenal, Fort Liberty, Camp Humphreys (KR), JB Lewis-McChord, Camp Arifjan (KU) 
  • Local Network Enterprise Centers (NECs), which are essentially data centers at Army Posts, Camps, and Stations under ARCYBER NETCOM control  
  • Global Satellite Communications Networks  run by PM Integrated Enterprise Network (PM IEN) 
  • Tactical Networks for Global Mission Command  run by PM Tactical Network (PM TN) 
  • Life Cycle Management Commands (LCMCs, AMC)  for Weapons Platforms (AMCOM), Communications (CECOM), Ground Systems (TACOM) 
  • Survivability and Suitability Assessments  on Army Acquisition Programs to assess Operational Effectiveness, Suitability, and Survivability by Army Technology and Evaluation Command (ATEC) prior to fielding/deployment approvals 
  • PEO Enterprise  manages some of the largest enterprise IT systems in the world with over 24.2 million daily business system transactions, supporting over 615,000 users globally 

It may seem daunting to calculate and implement the number of SBOMs needed to improve security across a major Defense agency. That’s where Fortress Government Solutions can help. If you have questions about the implementation of SBOMs, our experts are here to provide insights and answer any questions you may have. 

Silent Threat-1