The Executive Order (EO) on Improving the Nation’s Cybersecurity released on May 12, 2021 acknowledges the increasing number of software security risks throughout the supply chain. Federal departments and agencies become exposed to cybersecurity risks through the software and services that they acquire, deploy, use, and manage from their supply chain (which includes open source software components). Acquired software may contain known and unknown vulnerabilities as a result of the product architecture and development life cycle.
Mitigating these types of risks throughout the supply chain is a cornerstone goal of the EO, with Sections 4(b), 4(c), and 4(d) focusing exclusively on the critical sub-discipline of Cybersecurity Supply Chain Risk Management (C-SCRM) from the lens of federal acquirers:
EO Section 4 Text
(b) Within 30 days of the date of this order, the Secretary of Commerce acting through the Director of NIST shall solicit input from the Federal Government, private sector, academia, and other appropriate actors to identify existing or develop new standards, tools, and best practices for complying with the standards, procedures, or criteria in subsection (e) of this section. The guidelines shall include criteria that can be used to evaluate software security, include criteria to evaluate the security practices of the developers and suppliers themselves, and identify innovative tools or methods to demonstrate conformance with secure practices.
Relevant directives to this guidance:
(c) Within 180 days of the date of this order, the Director of NIST shall publish preliminary guidelines, based on the consultations described in subsection (b) of this section and drawing on existing documents as practicable, for enhancing software supply chain security and meeting the requirements of this section.
(d) Within 360 days of the date of this order, the Director of NIST shall publish additional guidelines that include procedures for periodic review and updating of the guidelines described in subsection (c) of this section.
This guidance is NIST’s response to the directives in Section 4(c) and 4(d) of EO 14028.
Existing industry standards, tools, and recommended practices are sourced from:
To support the prioritization and practical implementation of evolving software supply chain security recommendations, guidance is presented in the Foundational, Sustaining, and Enhancing practices paradigm in SP 800-161, Rev. 1.
Existing industry standards, tools, and recommended practices are sourced from NIST’s SP 800-161, Rev. 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, and its interrelation with guidance published by NIST in response to EO 14028. Those initiatives, as outlined by NIST on its EO 14028 guidance webpage, encompass:
Guidance in this Appendix does not introduce net new controls but rather frames existing controls for acquirers within the context of EO 14028.
 NIST interprets the intent of “best” practices within the context of the EO as “recommended” practices to align with its typical mandate as an authoritative body providing recommendations to both public and private organizations.