SVIP Topic Call: Software Supply Chain Visibility Tools Industry Day

DHS is committed to using cutting-edge technologies and scientific talent in its quest to make America safer. The Software Supply Chain Visibility Tools solicitation which calls for solutions that 1.) Build a foundational open-source library which includes a multi-format software bill of materials (SBOM) translator and a software component identifier translator; 2.) Automate SBOM generation; and 3.) Develop SBOM enabled vulnerability visualizations and SBOM enabled plug-ins for Interactive Development Environment (IDE) and Security Incident and Event Management (SEIM) tools.

Join our virtual Industry Day to hear more about how you can help DHS in strengthening the assurance of the software supply chain.

This SVIP topic call seeks technical capabilities that could serve the mission needs of one or more DHS Operational Components and Programs including the Cybersecurity and Infrastructure Agency (CISA). This SVIP topic call also intends to energize the market to provide SBOM-based capabilities for stakeholders within the enterprise, system administrator and software developer communities. Applications must respond to the required open-source library technical topic area and align to at least one of the other four technical topic areas.

1. Foundational Open-Source Libraries (REQUIRED): To ensure broad adoption and deployment of the capabilities that are sought in this call, DHS requires that two core capabilities be delivered as open-source software libraries: multi-format SBOM translator and software component identifier translator.

2. Automated SBOM Generation: DHS seeks a capability that can be integrated into the Software Development Lifecyle (SDLC) that can automate the creation and updating of SBOMs.

3. SBOM Enabled Vulnerability Visualization: DHS seeks a visualization capability that can access and read SBOMs that may be in a variety of data formats, link that information with external records of vulnerabilities and severity information from trusted sources, and provide information on available patches and mitigations.

4. SBOM Enabled IDE Plug-in: DHS seeks to develop SBOM enabled IDE plug-ins that will provide a software developer the ability to read and visualize:

• SBOM information
• Links to Common Vulnerabilities and Exposures (CVEs) or other records of vulnerabilities associated with the function, library, and related code
• Information identifying severity, (e.g., Common Vulnerability Scoring System (CVSS) score, Stakeholder-Specific Vulnerability Categorization (SSVC)), susceptibility conditions
• Information about available patches and mitigations

5. SBOM Enabled SIEM Plug-in: DHS seeks to develop SBOM enabled Plug-ins that can be integrated with existing Security Incident and Event Management (SIEM) tools that analyze security events from various sources, display patterns of activity in the context of the computing (e.g., enterprise) environment, and generate alerts for immediate attention.