FOR IMMEDIATE RELEASE
S&T Public Affairs, 202-286-9047
Solicitation Aims to Enhance the Security, Reliability and Efficiency of the Software People Use Daily
WASHINGTON – The Department of Homeland Security (DHS) Science and Technology Directorate (S&T) announced a new solicitation seeking Software Artifact Dependency Graph (ADG) Generation capabilities to better understand, manage, and reduce risk to the software that powers cyber and physical infrastructure. Administered by S&T’s Silicon Valley Innovation Program (SVIP) in partnership with DHS’ Cybersecurity and Infrastructure Security Agency (CISA), the solicitation provides selected companies each with up to $1.7 million in non-dilutive funding over four phases to develop and adapt commercial technologies for homeland security use cases.
Software ADGs help identify and track every source code file that is incorporated into a piece of software without any effort from developers. By enabling automatic visibility and verification of what goes into a piece of software, this capability enhances software vulnerability management, ensures safer and more stable applications, and ultimately helps reduce the risk of cyberattacks that can compromise personal data and privacy.
Software ADGs are intrinsic identifiers that are unique to a software component’s contents. They can provide actionable information regarding the dependencies the software incorporates, which increases transparency in software composition and provides standard, machine-readable decision support at an enterprise scale.
“The challenge to accurately and reliably identify software is as old as software itself,” said Aeva Black, CISA's Section Chief for Open Source Software Security. “Scaling artifact dependency graph generation will improve open source ecosystems’ secure by design practices and empower network defenders to more easily and more accurately respond to emerging vulnerabilities.”
“Through this partnership with startups working with the open source software community, we hope to advance public progress toward greater visibility and transparency of the global software supply chain,” said Melissa Oh, SVIP Managing Director. “By incorporating these open source foundational capabilities into value-added products and services, we’re both mitigating software vulnerabilities and baking in security.”
This solicitation seeks foundational open source capabilities for compiled languages, interpreted languages and packaging systems, as well as value-added services that utilize the foundational capabilities to accelerate progress in the domains of software composition analysis and vulnerability management to complement and enhance existing approaches to software identification.
The deadline for submitting applications for the solicitation is 3:00 PM ET on December 16, 2024.
Additionally, an Industry Day for interested applicants to learn about the solicitation will be held both virtually and in-person in Menlo Park, CA on October 17, 2024. To register, visit: https://sri-csl.regfox.com/svip-swadg-industry-day.
###