Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Software Security in Supply Chains: Attesting to Conformity with Secure Software Development Practices

NIST’s attestation guidance in response to Section 4(e) outlines four minimum recommendations that software purchasers should require from suppliers. The guidance recognizes that there are instances in which “these minimum practices will not be sufficient”[1] due to agency-specific risk-based considerations.

SP 800-161, Rev. 1. outlines an array of such risk-based considerations that federal agency acquirers should consider when determining the appropriate degree of attestation from suppliers. Examples of risk-based considerations that demand more robust attestation include:

  • Prospective suppliers under Foreign Ownership, Control, or Influence (FOCI), as outlined in Appendix E of SP 800-161, Rev. 1 (e.g., a supplier or its component suppliers have headquarters; research; development; manufacturing, testing, packaging, distribution, or service facilities; or other operations in a foreign country, including a country of special concern or a foreign adversary)
  • Suppliers who provide mission-critical, life-safety, homeland security, critical infrastructure, or national security functions or an interdependency with another covered entity performing or essential to such functions
  • Suppliers who support high value assets or a critical system component and that have been assessed by the agency to have a risk that is high relative to the use-case; assessed risk impact may or may not extend outside of the agency
  • Suppliers who require the ability to access controlled unclassified information (CUI) or classified information
  • Suppliers who represent a single source of supply with limited availability of (or acceptable alternatives to) the product, service, or source
  • Suppliers who are frequently associated with foreign adversary tactics, techniques, and procedures (TTPs); security alerts; or threat intelligence reports

In these scenarios, federal agencies should consider enhancing attestation beyond the four minimum recommended practices outlined in Attesting to Conformity with Secure Software Development Practices guidance. Examples of enhanced attestation capabilities include:

  • Supplier certifications, site visits, and/or third-party assessment and attestation
  • Higher frequency and/or continuous monitoring of supplier adherence to attestation commitments
  • Collection and review of lower-level artifacts, including functional and technical security controls
  • Higher fidelity SBOMs, including vendor vulnerability disclosure reports at the component level

Federal agencies seeking more comprehensive attestation capabilities in higher risk scenarios should reference the evolving standards, tools, and practices guidance and Appendices D and E of SP 800-161, Rev.1.

  --------------

[1] National Institute of Standards and Technology. (2022). Software Supply Chain Security Guidance Under Executive Order (EO) 14028 Section 4e


Content:

Created May 3, 2022, Updated May 5, 2022