| February 7, 2024

Definitive timeline: Federal guidance on software supply chain security

With the rise in attacks, U.S. agencies have been busy crafting policy to tackle the problem. Here are the major initiatives and mandates that matter.

Blog Author

Carolynn van Arsdale, Writer, ReversingLabs. Read More...

Timeline of Federal Guidance on Software Supply Chain Security

With major software supply chain attacks including the SunBurst attack on SolarWinds in 2020 and the critical vulnerability Log4j, software security moved front and center for risk managers and software teams alike. These incidents, along with a string of other attacks that span the past few decades, show the problem is only getting worse as bad actors target an increasingly complex process for building software — and the software development toolchain itself.

The problem has accelerated dramatically in the past three years, with software supply chain threats via open-source repositories skyrocketing by 1300% between 2020 and 2023, catching security teams off guard. Also: Nearly nine out of 10 security and IT professionals surveyed in a 2023 study said that their companies detected security issues in their software supply chains in the last 12 months.

The problem of software supply chain security has also caught the attention of the U.S. federal government, which has been very active over the past few years in seeking to tackle the problem head on. Those efforts include the White House's Executive Order on Improving the Nation’s Cybersecurity, released in May 2021, and a flurry of other critical initiatives and guidance that have followed, including the Secure by Design initiative in 2023.

Here is a definitive timeline of the U.S.'s major software supply chain policy initiatives and mandates:

[ Special Report: The State of Software Supply Chain Security (SSCS) 2024 | Download Report: State of SSCS ]

May 2021

The White House released an Executive Order (EO) on Improving the Nation’s Cybersecurity (14028). The EO aims to improve several areas of cybersecurity, including software supply chain security.
(Read more)

July 2021

The Secretary of Commerce, in coordination with National Telecommunications and Information Administration (NTIA), released Section 4 f of EO 14028, which lists the minimum elements required for a software bill of materials (SBOM).
(Read more)

September 2021

The NTIA introduced the Vulnerability Exploitability eXchange (VEX), which was created to “fill a particular need regarding use of software bills of materials."
(Read more)

February 2022

The National Institute of Standards and Technology (NIST) released the first version of the Secure Software Development Framework (SSDF).
(Read more)

September 2022

The federal government’s Enduring Security Framework (ESF) working panel released the “Securing the Software Supply Chain” report, meant to be a practical guide for developers.
(Read more)

September 2022

The White House's Office of Management and Budget (OMB) issued memorandum (M-22-18), which mandates all federal agencies to attain attestation of software security from any software company doing business with the federal government, as described in NIST’s SSDF guidance.
(Read more)

September 2022

U.S. Senators Peter and Portman introduced Senate Bill S. 4913, which aims to establish the duties of the Director of CISA in relation to open source software security.
(Read more)

October 2022

The federal government’s ESF working panel released the second series of the “Securing the Software Supply Chain” report, meant to be a practical guide for software suppliers.
(Read more)

October 2022

The federal government’s ESF working panel released the third series of the “Securing the Software Supply Chain” report, meant to be a practical guide for customers.
(Read more)

March 2023

The White House released the National Cybersecurity Strategy, which comprises five pillar areas that address the federal government’s goals to improve the nation’s cybersecurity.
(Read more)

April 2023

The Cybersecurity and Infrastructure Security Agency (CISA), along with 17 other U.S. and international partners, released Secure by Design, an initiative that aims to shift the burden of software risk from consumers (buyers) to the producers of the software (development companies.)
(Read more)

June 2023

CISA and the National Security Agency (NSA) released a Cybersecurity Information Sheet (CSI) on Defending Continuous Integration/Continuous Delivery (CI/CD) Environments, which outlines recommendations and best practices for improving defenses in the software development, security, and operations (DevSecOps) process.
(Read more)

July 2023

The Securities and Exchange Commission (SEC) released a set of rules on “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure.” As of August 2023, SEC registrants will now have to disclose material cybersecurity incidents, and annually disclose “basic material information” about the company’s state of cybersecurity.
(Read more)

September 2023

The Food and Drug Administration (FDA) released “Cybersecurity in Medical Devices: Quality System Consideration and Content of Premarket Submissions” as a reference document for device manufacturers, who must now report on their medical devices’ cybersecurity, in accordance with part (f) of Sec. 524B in H.R.2617.
(Read more)

October 2023

CISA released guidelines for a “Software Identification Ecosystem,” with the goal of it being both a precise and generic resource that supports software “grouping.”
(Read more)

November 2023

As a part of its second phase of the “Securing the Software Supply Chain” guide, the ESF working panel released “Securing the Software Supply Chain: Recommended Practices for Software Bill of Materials Consumption,” which is meant for developers, suppliers, and customers.
(Read more)

Keep learning

Read the 2025 Gartner® Market Guide to Software Supply Chain Security. Plus: Join RL's May 28 webinar for expert insights.
Get the white paper: Go Beyond the SBOM. Plus: See the Webinar: Welcome CycloneDX xBOM.
Go big-picture on the software risk landscape with RL's 2025 Software Supply Chain Security Report. Plus: See our Webinar for discussion about the findings.
Get up to speed on securing AI/ML with our white paper: AI Is the Supply Chain. Plus: See RL's research on nullifAI and learn how RL discovered the novel threat in this

Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.

Software Supply Chain Security

File Security

Security Operations

Products

Technology

Industry

Partners

Alliances

Resources

Company

Events

Press

Definitive timeline: Federal guidance on software supply chain security