Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Software Security in Supply Chains: Guidance, Purpose, Scope, and Audience

This guidance informs the acquisition, use, and maintenance of third-party software and services for agencies’ information technology (IT), Cybersecurity Supply Chain Risk Management (C-SCRM) Program Management Office, acquisition/procurement, and other functions in response to Section 4(c) and 4(d) of Executive Order (EO) 14028. It calls for applying the controls in SP 800-161, Rev. 1, to suppliers and – where feasible – adopting new software supply chain security recommendations.

The impact of Section 4(c) and 4(d) directives will continue to evolve through 2022 and beyond. Concepts introduced here will similarly evolve. NIST will maintain this guidance in accordance with Section 4(d).

This guidance does not include contractual language for federal agencies or cybersecurity concepts and disciplines beyond core software supply chain security use cases.

The primary audience for this guidance are federal agencies that acquire, deploy, use, and manage software from open source projects, third-party suppliers, developers, system integrators, external system service providers, and other information and communications technology (ICT)/operational technology (OT)-related service providers that must comply with Section 4(d) of EO 14028. As outlined in the relationship map below, Section 4(e) and the associated SP 800-218, Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities, contains guidance on secure software produced or developed in-house by federal agencies or by third-party suppliers.

Figure 1 - Relationship map between SSDF V1.1 and EO 14028, Section 4(d). Graphic depicts the relationship map between SSDF V1.1 and EO 14028, Section 4(d).
Figure 1 - Relationship map between SSDF V1.1 and EO 14028, Section 4(d)



Created May 3, 2022, Updated May 5, 2022