Software Security in Supply Chains: Frequently Asked Questions

NIST’s response to Executive Order (EO) 14028 Section 4(c) was initially developed and contained within Appendix F of SP 800-161, Rev. 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, to ensure that it received sufficient public comment and review within the EO-designated timelines. Though traceability with Appendix F remains in SP 800-161, Rev. 1, the content has been relocated online to:

• Allow for colocation with related EO 14028 guidance under NIST’s purview
• Enable updates to more areas of evolving guidance without directly impacting SP 800-161, Rev. 1
• Provide traceability and linkage with other NIST web-based assets as and when they move online to encourage dynamic and interactive engagement with the public

This guidance consolidates existing industry standards, tools, and recommended practices from NIST’s flagship Cybersecurity Supply Chain Risk Management (C-SCRM) guidance, SP 800-161, Rev. 1, as well as subsequent guidance published by NIST on its EO 14028, Improving the Nation’s Cybersecurity Guidance webpage. It also provides evolving standards, tools, and recommended practices from over 150 position papers submitted in advance of NIST’s June 2021 Enhancing Software Supply Chain Security Workshop, federal software supply chain security working groups, and an array of public and private industry partnerships.

Executive Order (EO) 14028 Section 4(d) stipulates that the software supply chain security guidance and associated publications must be regularly maintained. NIST recognizes that this discipline is rapidly evolving and that many topics, capabilities, and guidance discussed herein will similarly evolve. As such, NIST will apply the policies and processes for the life cycle management of cryptographic standards and guidelines described in NISTIR 7977, NIST Cryptographic Standards and Guidelines Development Process, to guide the periodic review and updating of the guidelines described in Section 4(d) of EO 14028.

NIST’s Framework Update Process describes how NIST 1) continually and regularly engages in community outreach activities by attending and participating in meetings, events, and roundtable dialogs; 2) solicits direct feedback from industry through requests for information (RFI), requests for comments (RFC), and NIST team email; and 3) observes and monitors relevant resources and references – including descriptions of Framework use – published by government, academia, and industry.

Together, NISTIR 7977 and the Framework Update Process illustrate the procedures that will be followed for periodic review and updating of the guidelines described in Section 4(d).

Full Question:  I have software procurement-related responsibilities (e.g., acquisition and procurement officials, technology professionals) for my agency and suspect that I may need to provide enhanced attestation guidance based on the risk that a producer poses to my agency. What guidance should I reference to adequately vet the purchaser?

Consult SP 800-161, Rev. 1, Section 3 to contextualize attestation activities utilizing a risk-based approach. Additional guidance may be found in Appendix D in the form of vendor risk assessment templates and Appendix E, which expounds upon Foreign Ownership, Control, or Influence (FOCI) and other higher risk scenarios.

Per Appendix E of SP 800-161, Rev. 1, FOCI is defined as:

…ownership of, control of, or influence over the source or covered article(s) by a foreign interest (foreign government or parties owned or controlled by a foreign government, or other ties between the source and a foreign government) that has the power, direct or indirect, whether or not exercised, to direct or decide matters affecting the management or operations of the company.

See NIST’s flagship C-SCRM guidance, SP 800-161, Rev. 1. The publication’s broader C-SCRM control guidance, risk assessment approaches, and supplier templates further guide implementation and provide recommendations for organizations seeking to iteratively improve their C-SCRM programs.