NOTE: See a separate set of FAQs related to NIST's assignment to work on cybersecurity labeling for consumers
Q1. What past work has NIST done related to the security of the software supply chain?
- NIST has a longstanding program focused on managing risks to cybersecurity in the supply chain, software quality and security, and security development and engineering resources – across research, standards, and transition to practice. For details about the relevant resources produced by NIST to date, go to our resources page.
Q2. How has NIST involved the private sector and other government agencies in carrying out the engagement called for by the Executive Order?
- NIST issued a call for papers, sought public comments on draft documents, and held workshops and individual meetings with interested private and public sector stakeholders. See ways NIST has engaged HERE. NIST continues to welcome input on existing and needed secure software development practices, standards, guidelines, conformity assessment, and programs across vertical markets. Send ideas here: swsupplychain-eo [at] nist.gov (swsupplychain-eo[at]nist[dot]gov) or here: labeling-eo [at] nist.gov (labeling-eo[at]nist[dot]gov)
Q3. Will NIST order agencies to comply with standards, tools, best practices, and other guidelines to enhance software supply chain security?
- No. It’s NIST’s job to produce the standards, tools, and best practices. Other departments and agencies are charged with their implementation.
Q4. Will non-government organizations be required to use the standards, tools, best practices and other guidelines NIST issues under this EO?
- The EO is aimed at strengthening the federal government’s procurements that depend on the software supply chain. Companies which sell to the federal government will need to meet federal procurement requirements. NIST is not involved in that part of the process.
- As with all NIST cybersecurity-related work, the private sector and other organizations can benefit by voluntarily using the software supply chain standards, tools, best practices and other guidelines that NIST is producing.