In this chapter, we will discuss existing and emerging publications addressing software supply chain security from governmental and public sector organizations. These publications build on existing commercial guidance that we discussed in the previous chapter and account for some of the unique requirements of the Department of Defense (DoD), U.S. Federal Civilian Executive Branch (FCEB) agencies, and the National Security Agency (NSA), among others.

Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations

In early 2020, the National Institute of Standards and Technology (NIST) first released special publication (SP) 800-161, “Cybersecurity Supply Chain Risk Management (C-SCRM) Practices for Systems and Organizations.” However, as with many other resources discussed throughout this book, the Cybersecurity Executive Order (EO) 14028 warranted an update to the original NIST C-SCRM publication. The Cybersecurity EO's Sections 4(b), 4(c), and 4(d) specifically focused on software supply chain concerns, and because of that, NIST published their response and guidance in 800-161 Revision 1 Appendix F, the “Response to Executive Order 14028's Call to Publish Guidelines for Enhancing Software Supply Chain Security.” Rather than embed the guidance within the broader 800-161 document, NIST published it online as a stand-alone resource (www.nist.gov/itl/executive-order-14028-improving-nations-cybersecurity/software-security-supply-chains ...