- AppCensus (El Cerrito, California) will add to its existing platform by mapping vulnerabilities to SDK behavior and providing a means to visualize that data as well as incorporate those results into SBOM reporting and common tooling and practice for IT professionals within enterprises. (Initial Award April 2023) – Currently in Phase 1
- ChainGuard (Kirkland, Washington) - will create an SBOM composition tool by developing the conceptual schema of how to join micro-SBOMs, creating a test suite of micro-SBOMs and the super SBOMs that ought to be created, and implementing functionality that takes micro-SBOMs as input and outputs a super SBOM. (Initial Award April 2023) – Currently in Phase 1
- DeepBits (Riverside, California) - has developed an AI-powered code intelligence platform for large-scale accurate binary code identification across languages and hardware platforms. They will develop a multi-format SBOM translator and design, build, and test its SaaSBOM generation tool. (Initial Award April 2023) – Currently in Phase 1
- Manifest Cyber (Westport, Connecticut) will further mature their existing SBOM management platform by adding capabilities including support for enriching vulnerability data using the Vulnerability Exploitability eXchange (VEX) documentation, automating ticketing responses to Security Incident and Event Management (SEIM) systems, automating risk and compliance report. generation, begin building a global SBOM repository, and building support for eventual integration with commonly used asset management tools. (Initial Award April 2023) – Currently in Phase 1
- Scribe Security (Tel Aviv, Israel) - will adapt its existing platform to develop a multi-format SBOM translator using an Open Policy Agent (OPA), further develop two of its core technology tools used for the generation of SBOMs and extend its platform to provide unique vulnerability information and insights. (Initial Award April 2023) – Currently in Phase 1
- TestifySec (Jasper, Alabama) - is developing a new security platform and associated tools to provide enhanced supply chain security. These tools ensure software integrity by enabling detection of possible tampering or malicious activity through the application of “generate” and “verify” attestation processes in concert with policy compliance configuration. (Initial Award April 2023) – Currently in Phase 1
- Veramine (Bothell, Washington) - will enhance its Endpoint Detection & Response (EDR) agent by adapting and configuring the agent to collect only what would be needed to populate the SBOM and – importantly – also to centrally preserve a single copy of every binary ever loaded anywhere across the enterprise network for vulnerability analysis. (Initial Award April 2023) – Currently in Phase 1
The U.S. Department of Homeland Security (DHS) announced new enforcement actions to eliminate the use of forced labor practices in the U.S. supply chain and promote accountability for the ongoing genocide and crimes against humanity against Uyghurs and other religious and ethnic minority groups in the Xinjiang Uyghur Autonomous Region.
Directed by President Biden as part of the Executive Order on America’s Supply Chains (E.O. 14017), the Departments of Commerce and Homeland Security evaluated the current supply chain conditions for select hardware and software products, identified key risks that threaten to disrupt those supply chains, and proposed a strategy to mitigate risk and strengthen supply chain resiliency.
Joint Statement by Secretaries Raimondo and Mayorkas on Assessment of Critical Supply Chains Supporting the Information and Communications Technology Industry
Secretary of Commerce Gina Raimondo and Secretary of Homeland Security Alejandro N. Mayorkas released the following statement on the completion of a one-year assessment of the critical supply chains supporting the information and communications technology industry.
Businesses with potential exposure in their supply chain to the Xinjiang Uyghur Autonomous Region (Xinjiang) or to facilities outside Xinjiang that use labor or goods from Xinjiang should be aware of the reputational, economic, and legal risks of involvement with entities that engage in human rights abuses, including but not limited to forced labor in the manufacture of goods intended for domestic and international distribution. In order to mitigate reputational, economic, legal, and other risks, businesses should apply industry human rights due diligence policies and procedures to address risks.
To help mitigate the interruption of lifeline supply chains, researchers at a Department of Homeland Security Science and Technology Directorate Center of Excellence, the Food Protection and Defense Institute (FPDI), are developing new ways of identifying and understanding how and where supply chains are vulnerable to disruptions. As part of this work, research teams are also finding methods to document and assess the components of food supply chains – something that could also help meet goals of the Food Safety Modernization Act.
FPDI has developed an early prototype software tool for supply chain mapping, vulnerability assessments and analysis called Criticality Spatial Analysis (CRISTAL). Through CRISTAL, FPDI aims to develop a new capability to: (1) define and document food critical infrastructure, and (2) assess risk in the global food supply chain.
FPDI defends the safety and security of the food system by conducting research to protect against vulnerabilities in the food supply chain, from farm to table, and to reduce the potential catastrophic attacks on public health and the economy.
This strategy establishes the overarching framework for the secure flow of cargo through the supply chain and builds on existing national strategies, plans specific to individual segments of the supply chain or transportation system, and numerous programs and tactical plans developed and implemented by appropriate Department components and agencies.