Avoiding undue burdens
What about vendors who were not able to meet the minimum requirements laid out in the order, especially in a world of continuous development and integration where software could be versioned several times a day? Herckis said that the goal was to reduce risk while still preserving the “broad and diverse marketplace that’s necessary to ensure the federal government is able to do its work.” He noted that, in certain worse-case scenarios, extensions and waivers could be granted, although “it’s a high bar.”
To further eliminate unnecessary work, the standard only requires a software bill of materials (SBOM) for software that is used in critical infrastructure. The standard aims to create secure and centralized clearing houses, and offers reciprocity between federal agencies. To ensure the relevance of documentation requests, agencies must develop a plan outlining what they require, why they require it, and what staffing and processes they have in place. In many cases, the request will only be a few pages.