C-SCRM and software supply chain security disciplines have evolved rapidly in recent years. The release of EO 14028, subsequent discussions, and cross-industry publications have brought many of these evolutions to the fore. This section responds to EO 14028’s mandate for NIST to gather and define those evolving industry standards, tools, and recommended practices in software supply chain security.
As with the existing standards, tools, and recommended practices provided above, these evolving concepts are tailored to the context of federal acquirers. Given the varying levels of complexity and technical capabilities required for implementation, these concepts are presented in the Foundational, Sustaining, and Enhancing practices paradigm first introduced in SP 800-161, Rev. 1. Federal agencies should use these designations to prioritize the implementation of these recommended leading software supply chain security capabilities.
Evolving standards, tools, and recommended practices are capabilities, not requirements, and are only to be implemented by federal acquirers when and where practical. The Foundational, Sustaining, and Enhancing practices designations recognize that federal departments and agencies acquisition and C-SCRM functions are at differing levels of program maturity.
Evolving standards, tools, and recommended practices are sourced from federal software supply chain security working groups, an array of public and private industry partnerships, and over 150 position papers submitted in advance of NIST’s June 2021 Enhancing Software Supply Chain Security Workshop.