Software Security in Supply Chains: Enhanced Vendor Risk Assessments

The EO creates higher standards for software verification techniques and other software supply chain controls. Therefore, additional scrutiny is being placed on the software that the vendors produce, as well as the business entities within a given software supply chain that may sell, distribute, store, or otherwise have access to the software code. Federal agencies that seek to enhance their assessment of supplier software supply chain controls can perform additional scrutiny on vendor SDLC capabilities, security posture, and risks associated with Foreign Ownership, Control, or Influence (FOCI).

The following capabilities provide recommended vendor risk assessment and attestation capabilities beyond those outlined in Section 4 of EO 14028:

Foundational Capabilities

• Assess and analyze vendors who utilize open source data and (as resources permit) commercially available third-party assessment and security ratings platforms. Acquirers with access to confidential information may further supplement these outside-in analyses.  
• Require vendors to periodically self-attest to adopting practices that conform to the applicable requirements of SSDF V1.1, such as Produce Well-Secured Software’s (PW) Test Executable Code to Identify Vulnerabilities and Verify Compliance with Security Requirements.
• Automatically verify hashes/signatures for all vendor-supplied software installation and updates, where feasible.[1]

Sustaining Capabilities

• Require vendors to submit third-party attestation that they conform to the applicable requirements of SSDF V1.1.
• Extend foundational capability recommendations to subsidiary suppliers designated within outside-in analyses and/or SBOMs, to the extent feasible.
• Include flow-down requirements to sub-tier suppliers in agreements that pertain to the secure development, delivery, operational support, and maintenance of software.
• Prioritize or mandate the use of suppliers who provide a software security label or data sheet that should include information about the software itself, the tools and technologies used to build the software, security standards and controls, the tools and processes that govern the software, and information on the qualifications and skills of key personnel involved in building the software for all provided products, where possible.[2]

Enhancing Capabilities

• Require vendors to periodically submit third-party attestation that they conform to the applicable requirements of SSDF V1.1 and the enhancing SSDLC capabilities (e.g., automated build deployments, pre-production testing, automatic rollbacks, and staggered production deployments), including low-level artifacts where feasible and appropriate.[3]
• Enforce just-in-time credentials for supplier build systems.[4]

Content:

• Introduction

• Guidance, Purpose, Scope, and Audience

• EO-Critical Software and Security Measures for EO-Critical Software

• Software Cybersecurity for Producers and Users

  • Attesting to Conformity with Secure Software Development Practices

• Software Verification

• Evolving Standards, Tools, and Recommended Practices

  • Software Bill of Materials (SBOM)

  • Enhanced Vendor Risk Assessments

  • Open Source Software Controls

  • Vulnerability Management

• Additional Existing Industry Standards, Tools, and Recommended Practices

• Frequently Asked Questions (FAQs)