RL SSCS Report 2026: A guidance timeline

It was a big year for software supply chain security in 2025, with the number of attacks targeting software’s key stakeholders and infrastructure going up and threat actors’ sophistication rising. ReversingLabs’ fourth annual Software Supply Chain Security Report 2026 notes that open-source malware detections jumped by 73% in 2025 compared with 2024 and that exposed development secrets grew by 11% across major repositories during this same time period. 

In response to these trends, government entities across the globe rolled out new policy initiatives aimed at securing software supply chains, and thought leaders and industry voices had a lot to say on the subject as well. 

Here’s a timeline of the most important actions that defined software supply chain security policy in 2025. 

Download: Software Supply Chain Security Report 2026Join: Report webinar

January 2025

FDA issues draft guidance on AI-enabled device functions

The U.S. Food and Drug Administration issued draft guidance on how manufacturers of medical devices should manage AI-enabled software functions across the full product lifecycle. The guidance emphasizes documenting performance, risks, updates, and change management specific to AI-enabled functions, which are not static like traditional software. Sponsors should be prepared to explain how models are developed, evaluated, updated, and monitored and how changes will be controlled once a device is in the field.

Date: January 7, 2025 | Source

CISA publishes AI cybersecurity collaboration playbook

The playbook from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) provides a structured approach for AI ecosystem stakeholders to collaborate on AI-related cyber risk, especially related to incident reporting, information sharing, and joint response, through the Joint Cyber Defense Collaborative (JCDC). In practice, it’s a “how we work together” document that includes what to share, when to share it, and how to align government and industry workflows so that AI security signals can move quickly across defenders.

Date: January 14, 2025 | Source

EU enacts the Digital Operational Resilience Act (DORA)

DORA, designed to enhance the overall digital operational resilience of the European Union financial sector, went into effect last year. It ensures that financial firms, as well as the third-party companies supplying them, can withstand, respond to, and recover from cyberattacks or system failures. DORA also requires that proprietary or open-source software provided by third-party service providers is analyzed and tested prior to deployment in production environments for financial firms. 
Date: January 17, 2025 | Source

February 2025

OpenSSF publishes Open Source Project Security Baseline

The Open Source Security Foundation’s project is an open, structured set of security controls to help open-source projects demonstrate and improve their security posture. It defines a tiered framework of security criteria organized by project maturity levels, covering areas such as access control, build and release processes, documentation, governance, vulnerability management, and quality. It gives open-source maintainers actionable, practical guidance on adopting coherent security practices and better communicating security status to users and consumers. 

Date: February 25, 2025 | Source

March 2025

NIST issues final report on AI/ML threats and mitigations

The U.S. National Institute of Standards and Technology (NIST) published its final taxonomy/terminology work on adversarial machine learning — mapping how attacks can target AI/ML systems across the lifecycle (data, training, deployment, inference) and pairing those attack classes with mitigation concepts. The value of the taxonomy is in shared language: It helps security teams, model developers, and risk owners describe threats consistently and compare controls across systems. For cybersecurity leaders, the report supports better governance by clarifying what “AI attack” means and where defenses should live.

Date: March 26, 2025 | Source

April 2025

CISA signals continued support for CVE program

Industry concerns soared following an announcement on April 2 by NIST that it would defer enrichment of all Common Vulnerabilities and Exposures (CVEs) in the National Vulnerability Database (NVD) that had been published before January 1, 2018, and a subsequent letter from the nonprofit corporation Mitre saying  that its contract to run the CVE program would expire on April 16. The two announcements were red flags that the federal government’s support for maintaining the NVD and documenting CVEs was at risk of collapse, removing a critical resource for both private- and public-sector security. 

But on April 16, CISA issued a statement that reaffirmed the federal government’s commitment to maintaining the NVD and tracking CVEs. CISA wrote that CVE stability matters to global defenders and software producers and that the agency intended to sustain and improve it. And on the night before Mitre’s contract was to expire, CISA renewed it, ensuring the extension of an arrangement that has lasted for more than two decades.

Date: April 16, 2025 | Source

JPMorgan Chase CISO pens open letter on supply chain risks 

JPMorgan Chase CISO Patrick Opet made headlines in April with an open letter urging software and technology providers to treat supply chain risk as systemic rather than as a niche application security (AppSec) issue. Opet argued that downstream enterprises can’t practically absorb the compounding risk from their many (insecure) software suppliers, and so interconnected dependencies and Secure by Default expectations need to become part of the security baselines for software producers. 
Date: April 28, 2025 | Source

May 2025

Verizon’s 2025 DBIR warns on supply chain risks

The annual Verizon Business Data Breach Investigation Report (DBIR) is a frequently cited source for identifying trends in the cybersecurity sector. So when the 2025 DBIR predicted that third-party involvement in breaches would continue to climb last year, people took note. Of the 12,195 confirmed data breaches that Verizon analyzed, the percentage involving an attack on a third-party software provider had doubled from the previous year’s report, reaching 30% of all breaches. Also, the 2025 DBIR analyzed scans of over 400,000 public GitHub repositories for exposed secrets and found that the median time to remediate leaked secrets discovered in a repository was 94 days.

Date: May 5, 2025 | Source 

DoD introduces Software Fast Track Initiative (SWFT)

The U.S. Department of Defense unveiled its Software Fast Track (SWFT) Initiative aimed at modernizing and accelerating how secure software is procured, tested, and authorized for use by the military. As part of the effort, the DoD’s Office of the Chief Information Officer will work with key acquisition and security leaders to develop a new framework that establishes clear cybersecurity and supply chain risk management requirements, rigorous software security verification processes, secure information-sharing mechanisms, and government-led risk determinations to expedite authorization of secure software.

Date: May 5, 2025 | Source 

EU announces national vulnerability database 

Questions about the U.S. government’s role in identifying and tracking software risks took on a new dimension in May, when the EU’s Agency for Cybersecurity (ENISA) unveiled the EU Vulnerability Database (EUVD), an alternative to the U.S. NVD. ENISA said that the EUVD is intended to complement, but not replace, the NVD. Vulnerabilities will receive EU-specific tracking identifiers if they are first reported by European entities or are particularly relevant to EU concerns (including critical infrastructure), ENISA said.
Date: May 13, 2025 | Source

June 2025

U.S. EO 14306 refocuses federal cybersecurity policy

President Trump’s Executive Order 14306, titled “Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144,” updates two earlier cybersecurity directives to refocus the federal government’s cybersecurity strategy in response to evolving threats. It refines priorities around defending the nation’s digital infrastructure, secure software development, and resilience against malicious cyber campaigns, while adjusting or removing some provisions from the prior 2025 cybersecurity EO.

Date: June 6, 2025 | Source

CNCF pushes in-toto framework

The Cloud Native Computing Foundation graduated its in-toto framework, positioning it as a maturing supply chain integrity framework that verifies the steps of a software lifecycle (build, sign, attest, deploy) and helps ensure that those steps are authorized and tamper-free. The practical security outcome of the framework is stronger end-to-end provenance: Teams can define what must be true about how an artifact was produced and verify that statement via attestations.
Date: June 23, 2025 | Source

July 2025

OWASP introduces GenAI Incident Response Guide 1.0

The Open Worldwide Application Security Project Foundation’s guide adapts incident response to generative AI realities: new attack surfaces, failure modes, and investigation needs. It’s written to be usable by general security practitioners without deep machine-learning specialization. The practical takeaway of the guide is operational: Treat gen AI incidents as a distinct class with specific detection signals, triage questions, containment options, and recovery considerations — while integrating the threat class into existing incident-response programs.

Date: July 28, 2025 | Source 

August 2025

Anthropic pushes automated security reviews

AI vendor Anthropic announced automated security reviews inside Claude Code via a GitHub Actions integration and a /security-review command. The concept is to embed AI-assisted security review into developer workflows so teams can surface issues earlier and reduce review bottlenecks. The move is part of the broader “shift left with automation” trend — moving security feedback closer to code creation and pull requests. However, the adoption should come with guardrails.
Date: August 6, 2025 | Source

GitHub updates Actions with blocking and SHA pinning

GitHub in August announced an update to its platform that enables explicit blocking and SHA pinning support to GitHub Actions policy. The change enables organizations to block known-bad actions/versions while requiring pinning to immutable SHAs rather than mutable tags. The update is aimed at reducing workflow supply chain risks in which a compromised action or upstream change can silently alter pipeline behavior. Overall, it’s a concrete, platform-level improvement that helps scale secure CI/CD controls.
Date: August 15, 2025 | Source 

NIST SP 800-53 strengthens guidance on software updates

NIST published updates to its Special Publication (SP) 800-53, strengthening guidance on the secure and reliable deployment of software patches and updates. The proposed changes — in response to EO 14306 — target key areas of modern patch management such as software resiliency, developer testing, secure logging, least-privilege for tools, update deployment management, software integrity and validation, defined organizational roles, and root-cause analysis.
Date: August 27, 2025 | Source: 

CISA issues SBOM minimum elements 

CISA published an updated list of minimum elements for software bills of materials, with requests for public comment. The list refreshes earlier baseline guidance to reflect rapidly maturing SBOM practices and tooling by both software producers and end-user organizations. The goal is to make software transparency more actionable by defining the minimum information needed so SBOMs can be consistently generated, shared, and used for risk decisions.
Dates: August 22, 2025 | Source 

September 2025

GitHub maps out a more secure npm repo

GitHub outlined plans in September to harden the npm repository in response to increased registry attacks, including the then recently discovered Shai-hulud worm, which infected hundreds of npm packages. The npm updates offer stronger authentication, token improvements, and trusted publishing enhancements to reduce the blast radius of maintainer compromise and credential theft. The news came as open-source registry operators faced increasing pressure to police their environments and keep malicious campaigns from spreading.
Date: September 22, 2025 | Source 

OpenSSF calls for ‘sustainable stewardship’ of open-source infrastructure

In an open letter published in September, the OpenSSF argued that public open-source infrastructure is essential but underfunded relative to the scale of commercial consumption. The group called for a model that better aligns usage with responsibility, so that the infrastructure remains secure and reliable. “Open source infrastructure cannot be expected to operate indefinitely on unbalanced generosity. The real challenge is creating sustainable funding models that scale with usage, rather than relying on informal and inconsistent support,” the group said.  
Date: September 23, 2025 | Source 

November 2025

OWASP Top 10 calls out software supply chain failures

OWASP published its 2025 Top 10 Guide for “Critical Web Application Security Risks.” The release marks the latest edition of OWASP’s widely used web application security risk list. This year’s list includes a new category, “Software Supply Chain Failures,” as the third-most critical AppSec risk. As it stands, the new category had the fewest occurrences in the OWASP data on AppSec risks, but the highest average exploit and impact scores from CVEs. 

Date: November 6, 2025 | Source 

U.K.’s NCSC updates Software Security Code of Practice

The United Kingdom’s National Cyber Security Centre (NCSC) updated its Software Security Code of Practice, a voluntary set of guidelines designed to support software vendors and their customers in reducing the likelihood and impact of software supply chain attacks. It contains 14 principles split across four themes: Secure design and development, build environment security, secure deployment and maintenance, and communications with customers.

Date: November 28, 2025 | Source

December 2025

Congress passes NDAA with focus on AI cyber risk

The U.S. Congress passed the National Defense Authorization Act (NDAA), which, among the mountain of traditional and mundane spending authorizations in the omnibus bill, includes a range of new requirements specific to software supply chain security and the military’s use of AI. Those include calls for “any policy, regulation, guidance, or requirement issued by the Department of Defense relating to the use, submission, or maintenance of a software bill of materials” to apply also to “artificial intelligence systems, models, and software used, developed, or procured by the Department.”

Date: December 18, 2025 | Source