NIST is publishing guidance identifying practices that enhance the security of the software supply chain as part of its assignments to enhance the security of the software supply chain called for by a May 12, 2021, Presidential Executive Order on Improving the Nation's Cybersecurity (14028). To gather extensive input on practices to include, NIST solicited position papers, held two workshops, consulted with other federal agencies, and reviewed existing federal guidance.
This document starts by explaining NIST’s approach for addressing Section 4e. Next, it defines guidelines for federal agency staff who have software procurement-related responsibilities (e.g., acquisition and procurement officials, technology professionals). These guidelines are intended to help federal agency staff know what information to request from software producers regarding their secure software development practices. This document concludes with Frequently Asked Questions (FAQ) offering additional information.
Software Supply Chain Security Guidance Under Executive Order (EO) 14028 Section 4e (February 4, 2022)