Integrating Human Intelligence to Bypass Information Asymmetry in Procurement Decision-Making

Abstract

President Biden's Executive Order on Improving the Nation's Cybersecurity included two core components to enhance the security and integrity of the software supply chain: Labels and Software Bills of Materials. The National Institute of Standards and Technology (NIST) was tasked with establishing a security labeling program. Its initial design was based on Energy Star, a voluntary labeling program established by the Environmental Protection Agency (EPA) to allow businesses to communicate energy consumption information to consumers. Similarly, the National Telecommunications and Information Administration (NTIA) defined the minimum elements for the Software Bill of Materials (SBOM). These SBOMs are analogous to nutrition facts labels, as they detail all the software components used in a product. What combination of information, on labels or bills of materials, should be provided at each stage of the acquisition lifecycle? To answer this question we built on previous research on labels, procurement standards, best practices for IoT and software, and information proposed for labeling and SBOM programs. From that, we identified candidate features (and the purposes of those features) that were potentially salient during the acquisition process. We recruited participants from the Department of Defense community to sort those features according to their importance. We conclude that neither a single label nor a list of information can adequately support risk-informed decision-making across the acquisition process. We report how participants' information requirements correlated with their work roles. We offer recommendations for the next steps to design an effective label system to support cybersecurity-aware procurement.