Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Executive Order 14028: Guidelines for Enhancing Software Supply Chain Security

The workshop will share and discuss the approach that NIST is taking to support Section 4e of Executive Order 14028.  

 NIST has released the Draft Special Publication (SP) 800-218, Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities. The SSDF is a set of fundamental, sound practices for secure software development based on established standards and guidelines produced by various organizations. The SSDF directly addresses several practices that were called out in Section 4e. The SSDF also provides a starting point for discussing other practices that Section 4e specifies.  

 To support this discussion, NIST is soliciting input about the types of meaningful artifacts of secure software development that software producers can share publicly with software acquirers. This workshop will bring together experts with different viewpoints to share their insights on producing and sharing artifacts of secure software development tools and processes, as well as on attesting to following specific secure software development practices.  

Agenda (times are in ET): 
(Updated 11/4)


Kevin Stine, Chief Cybersecurity Advisor, NIST

This session will provide an introduction to EO Section 4(e) and explain its relationship with OMB’s responsibilities in Section 4(k).


The NIST Secure Software Development Framework (SSDF)
Karen Scarfone, Scarfone Cybersecurity 

This session will walk through the basics of NIST’s Secure Software Development Framework (SSDF), including how it is related to other frameworks and how it addresses Section 4e of the EO in particular securing the software development environments and software development practices.

1:30 - 1:45           


Self Declaration and Attestation
Warren Merkel, Chief, Standards Services, NIST

This session will take a real-world look at standards-based self-declaration and self attestation with security requirements for software development.

1:45 - 2:15

Generating and Sharing Process and Tool Artifacts
Rohit Sethi, Security Compass
Matt Fussa, Cisco
This session will discuss the feasibility of generating and sharing artifacts from processes and tools for maintaining trusted source code and for verifying and mitigating software vulnerabilities.




Criteria and Attestation Approaches for Code Provenance
Dan Lorenc, Chainguard
Kurt Samuelson, Microsoft
This session will examine criteria and attestation approaches for maintaining provenance of code and code components, including for open-source software.


Vulnerability Disclosure Programs
Kim Schaffer, NIST
Katie Moussouris, Luta Security

This session will reference existing standards, guidelines, industry practices, and experiences for vulnerability disclosure programs.


Facilitated Q&A with all speakers Barbara Guttman, NIST





Created October 20, 2021, Updated November 19, 2021