NOTE: See a separate set of FAQs related to NIST's assignment to work on cybersecurity labeling for consumers
Q1. What past work has NIST done related to the security of the software supply chain?
- NIST has a longstanding program focused on managing risks to the cyber supply chain, software quality and security, and security development and engineering resources – across research, standards, and transition to practice. For details about the relevant resources produced by NIST to date, go to our resources page.
Q2. How will NIST involve the private sector and other government agencies in carrying out the engagement called for by the Executive Order?
- NIST issued a call for position papers and scheduled a workshop to solicit private sector and government agencies’ views about the criteria for software supply chain security. That information will be critical in supplementing resources that NIST has produced or is aware of that other organizations have published. Although the deadline for submission of position papers has passed, NIST will continue to accept ideas for consideration. NIST welcomes input on existing secure software development practices, standards, guidelines, conformity assessment, and programs across vertical markets.
Q3. Will NIST order agencies to comply with standards, tools, best practices, and other guidelines to enhance software supply chain security?
- No. It’s NIST’s job to produce the standards, tools, and best practices. Other departments and agencies are charged with their implementation.
Q4. Will non-government organizations be required to use the standards, tools, best practices and other guidelines NIST issues under this EO ?
- The EO is aimed at strengthening the federal government’s procurements that depend on the software supply chain. Companies which sell to the federal government will need to meet federal procurement requirements. NIST is not involved in that part of the process.
- As with all NIST cybersecurity-related work, the private sector and other organizations would be expected to benefit by voluntarily using the software supply chain standards, tools, best practices and other guidelines that NIST will produce.