Software Supply Chain Security Guidance: Purpose and Scope

EO 14028 emphasizes that “the security of software used by the Federal Government is vital to the Federal Government’s ability to perform its critical functions,” and “there is a pressing need to implement more rigorous and predictable mechanisms for ensuring that products function securely, and as intended.” Accordingly, secure software development practices should be integrated throughout software life cycles for three reasons: 1) to reduce the number of vulnerabilities in released software, 2) to reduce the potential impact of the exploitation of undetected or unaddressed vulnerabilities, and 3) to address the root causes of vulnerabilities to prevent recurrences. [SP 800-218]

EO 14028 Section 4e contains 10 subsections or items. Each of them specifies actions or outcomes for software producers, such as commercial-off-the-shelf (COTS) product vendors, government-off-the-shelf (GOTS) software developers, and contractors and other custom software developers. Before EO 14028’s release, NIST had published the initial Secure Software Development Framework (SSDF), which defined outcome-based secure software development practices and tasks for software producers to follow. Most of the Section 4e items were already addressed by the original SSDF. NIST has since revised the SSDF to address all Section 4e items, resulting in SP 800-218, Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities. FAQ #7 contains a mapping of each Section 4e item to the SSDF practices and tasks that help address it.

SP 800-218 addresses Section 4e from a software producer viewpoint. The software producers are the ones who implement SSDF practices. Section 4k explains that federal agencies will need to comply with NIST guidelines addressing Section 4e. In this context, federal agencies are software purchasers, not software producers, so additional guidance is needed to address Section 4e from a software purchaser viewpoint. This document defines that guidance.

This document provides recommendations to federal agencies on ensuring that the producers of software they procure have been following a risk-based approach for secure software development throughout the software life cycle. These recommendations are intended to help federal agencies get the information they need from software producers in a form they can use to make risk-based decisions about procuring software. These recommendations address all items within Section 4e from a software purchaser (federal agency) viewpoint. They involve software producers indicating conformity with secure software development practices as part their internal processes by providing artifacts to federal agency purchasers and/or attesting to conformity.

The scope of this guidance is limited to federal agency procurement of software, which includes firmware, operating systems, applications, and application services (e.g., cloud-based software), as well as products containing software. The location of the implemented software, such as on-premises or cloud-hosted, is irrelevant. Software developed by federal agencies is out of scope, as is open-source software freely and directly obtained by federal agencies. Open-source software that is bundled, integrated, or otherwise used by software purchased by a federal agency is in scope.

• Introduction
• Terminology
• Attesting to Conformity with Security Software Development Practices
• FAQs