This section responds to EO 14028’s mandate for NIST to gather and define evolving industry standards, tools, and recommended practices for software supply chain security in the context of federal acquirers. Given the varying levels of complexity and technical capabilities required for implementation, these concepts are presented in the Foundational, Sustaining, and Enhancing practices paradigm first introduced in SP 800-161r1upd1. Federal agencies should use these designations to prioritize the implementation of these recommended software supply chain security capabilities.
Evolving standards, tools, and recommended practices are capabilities, not requirements. They should only be implemented by federal acquirers when and where practical. The Foundational, Sustaining, and Enhancing practices designations recognize that federal department and agency acquisition and C-SCRM functions are at differing levels of program maturity.
Evolving standards, tools, and recommended practices are sourced from federal software supply chain security working groups, an array of public and private industry partnerships, and over 150 position papers submitted in advance of NIST’s June 2021 Enhancing Software Supply Chain Security Workshop.
Content: