U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Information Technology Laboratory

Executive Order 14028, Improving the Nation's Cybersecurity

Software Supply Chain Security Guidance: FAQs

Share

The following FAQs provide additional information on the guidance.

  1. Where can I learn more about conformity assessment?

For more detailed information on conformity assessment, see NIST SP 2000-01, ABC's of Conformity Assessment; NIST SP 2000-02, Conformity Assessment Considerations for Federal Agencies; and ISO/IEC 17000:2020 – Conformity assessment – vocabulary and general principles. NIST SP 2000-01 and SP 2000-02 reference ISO/IEC 17000 and cite several of its definitions, including “conformity assessment.”

  1. Where can I learn more about first-party attestation and supplier’s declaration of conformity?

Additional information is available from NIST SP 2000-01, ABC's of Conformity Assessment and ISO/IEC 17050-1:2004, Conformity assessment – Supplier’s declaration of conformity – Part 1: General requirements.

  1. Does NIST have additional resources on cybersecurity supply chain risk management (C-SCRM)?

Yes, see NIST’s C-SCRM project website for links to all the resources. An example is the Federal C-SCRM Forum, which NIST hosts; the Forum fosters collaboration and the exchange of C-SCRM information among federal agencies to improve the security of federal supply chains. Examples of NIST C-SCRM guidance include SP 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations and SP 800-161 Rev. 1 (Second Draft), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations.

  1. Are any other parts of EO 14028 related to this guidance?

Yes. Section 4n references section 4k, which was discussed in the introduction to this guidance. Here is the text of Section 4n:

(Section 4n)  Within 1 year of the date of this order, the Secretary of Homeland Security, in consultation with the Secretary of Defense, the Attorney General, the Director of OMB, and the Administrator of the Office of Electronic Government within OMB, shall recommend to the FAR Council contract language requiring suppliers of software available for purchase by agencies to comply with, and attest to complying with, any requirements issued pursuant to subsections (g) through (k) of this section.

  1. Can agencies apply this guidance to software developed by federal agencies?

Yes, agencies can choose to implement the recommendations with agency-based software developers in order to help assess the security risks associated with their software and make risk-based decisions about its implementation and use.

  1. Can agencies apply this guidance to open-source software they freely and directly obtain?

Yes, agencies can choose to use attestations and artifacts from open-source software producers who make such content available. This may help agencies to assess the security risks associated with the software and make risk-based decisions about its implementation and use.

  1. How does the SSDF help address Section 4e of EO 14028?

The following table maps each Section 4e subsection to the SSDF practices and tasks that help address each subsection. See SP 800-218 for more information on each SSDF practice and task.

SSDF Practices Corresponding to EO 14028 Subsections

EO 14028 Subsection

Subsection Summary
(Refer to the next column for a complete list)

SSDF Practice and Task
Reference Numbers

4e(i)

Have secure software development environments, including:

[See rows below]

4e(i)(A)

administratively separate build environments;

PO.5.1

4e(i)(B)

trust relationship auditing;

PO.5.1

4e(i)(C)

multi-factor, risk-based authentication and conditional access;

PO.5.1, PO.5.2

4e(i)(D)

minimized dependencies on enterprise products in development environments;

PO.5.1

4e(i)(E)

data encryption; and

PO.5.2

4e(i)(F)

operational monitoring and incident detection and response.

PO.3.2, PO.3.3, PO.5.1, PO.5.2

4e(ii)

Provide artifacts from 4e(i) upon request.

PO.3.2, PO.3.3, PO.5.1, PO.5.2

4e(iii)

Maintain trusted source code supply chains.

PO.3.1, PO.3.2, PO.5.1, PO.5.2, PS.1.1, PS.2.1, PS.3.1, PW.4.1, PW.4.4

4e(iv)

Check software for vulnerabilities and remediate them.

PO.4.1, PO.4.2, PS.1.1, PW.2.1, PW.4.4, PW.5.1, PW.6.1, PW.6.2, PW.7.1, PW.7.2, PW.8.2, PW.9.1, PW.9.2, RV.1.1, RV.1.2, RV.2.1, RV.2.2, RV.3.3

4e(v)

Provide artifacts from 4e(iii) and 4e(iv) upon request, and make a summary description of risks assessed and mitigated publicly available.

PO.3.2, PO.3.3, PO.4.1, PO.4.2, PO.5.1, PO.5.2, PW.1.2, PW.2.1, PW.7.2, PW.8.2, RV.2.2

4e(vi)

Maintain provenance data for internal and 3rd party components.

PO.1.3, PO.3.2, PO.5.1, PO.5.2, PS.3.1, PS.3.2, PW.4.1, PW.4.4, RV.1.1, RV.1.2

4e(vii)

Provide a software bill of materials (SBOM) for each product.

PS.3.2

4e(viii)

Participate in a vulnerability disclosure program.

RV.1.1, RV.1.2, RV.1.3, RV.2.1, RV.2.2, RV.3.3

4e(ix)

Attest to conformity with secure software development practices.

All practices and tasks consistent with a risk-based approach

4e(x)

Attest to the integrity and provenance of open-source software components.

PS.2.1, PS.3.1, PS.3.2, PW.4.1, PW.4.4

 

  1. I have software procurement-related responsibilities (e.g., acquisition and procurement officials, technology professionals) for my agency. To conform with Section 4e of EO 14028, what should I request from software producers regarding their secure software development practices?

Software purchasers from a federal agency should ask software producers to provide a conformance statement attesting that their software development processes follow SSDF practices, including those specifically called out in Section 4e as presented in FAQ #7. The conformance statement should include:

  • Software producer’s name
  • A description of which product or products the statement refers to. (Note: it is preferable to address this at the company or product line level rather than per product.)
  • A statement attesting that the software producer follows secure development practices and tasks as specified in FAQ #7 that are appropriate and applicable
  • Name and title of individual who is the main point of contact and can provide, if requested by the purchasers, the artifacts generated by the secure software development activities related to EO 14028 Sections 4e(i), 4e(iii), and 4e(iv)
  1. I am a software producer and I want to sell my product to federal agencies. What information about secure software development do I need to provide to them?

You should provide a conformance statement, which is described in FAQ #8.

Additionally, you can choose to exceed the EO 14028 Section 4e requirements by providing a reference or URL to a summary of secure software development activities related to the SSDF practices and tasks, including risk-based and mitigation actions. A sample template is posted here for reuse in documenting the activities.

  1. I am a software reseller. How do I show purchasers that the software I am reselling meets the requirements of EO 14028 Section 4e?

You should ensure that you can provide a reference to the software producer’s conformance statement, as described in FAQ #8, for each software you resell to software purchasers.

 

Information technology and Cybersecurity
Created February 1, 2022, Updated February 4, 2022