Spectra Assure Free Trial
Get your 14-day free trial of Spectra Assure for Software Supply Chain Security
Get Free TrialMore about Spectra Assure Free TrialDefinitive timeline: Federal guidance on software supply chain security
With the rise in attacks, U.S. agencies have been busy crafting policy to tackle the problem. Here are the major initiatives and mandates that matter.
With major software supply chain attacks including the SunBurst attack on SolarWinds in 2020 and the critical vulnerability Log4j, software security moved front and center for risk managers and software teams alike. These incidents, along with a string of other attacks that span the past few decades, show the problem is only getting worse as bad actors target an increasingly complex process for building software — and the software development toolchain itself.
The problem has accelerated dramatically in the past three years, with software supply chain threats via open-source repositories skyrocketing by 1300% between 2020 and 2023, catching security teams off guard. Also: Nearly nine out of 10 security and IT professionals surveyed in a 2023 study said that their companies detected security issues in their software supply chains in the last 12 months.
The problem of software supply chain security has also caught the attention of the U.S. federal government, which has been very active over the past few years in seeking to tackle the problem head on. Those efforts include the White House's Executive Order on Improving the Nation’s Cybersecurity, released in May 2021, and a flurry of other critical initiatives and guidance that have followed, including the Secure by Design initiative in 2023.
Here is a definitive timeline of the U.S.'s major software supply chain policy initiatives and mandates:
Special Report: The State of Software Supply Chain Security (SSCS) 2024Download Report: State of SSCS
May 2021
The White House released an Executive Order (EO) on Improving the Nation’s Cybersecurity (14028). The EO aims to improve several areas of cybersecurity, including software supply chain security.
July 2021
The Secretary of Commerce, in coordination with National Telecommunications and Information Administration (NTIA), released Section 4 f of EO 14028, which lists the minimum elements required for a software bill of materials (SBOM).
(Read more)September 2021
The NTIA introduced the Vulnerability Exploitability eXchange (VEX), which was created to “fill a particular need regarding use of software bills of materials."
(Read more)February 2022
The National Institute of Standards and Technology (NIST) released the first version of the Secure Software Development Framework (SSDF).
(Read more)September 2022
The federal government’s Enduring Security Framework (ESF) working panel released the “Securing the Software Supply Chain” report, meant to be a practical guide for developers.
(Read more)September 2022
The White House's Office of Management and Budget (OMB) issued memorandum (M-22-18), which mandates all federal agencies to attain attestation of software security from any software company doing business with the federal government, as described in NIST’s SSDF guidance.
(Read more)September 2022
U.S. Senators Peter and Portman introduced Senate Bill S. 4913, which aims to establish the duties of the Director of CISA in relation to open source software security.
(Read more)October 2022
The federal government’s ESF working panel released the second series of the “Securing the Software Supply Chain” report, meant to be a practical guide for software suppliers.
(Read more)October 2022
The federal government’s ESF working panel released the third series of the “Securing the Software Supply Chain” report, meant to be a practical guide for customers.
(Read more)March 2023
The White House released the National Cybersecurity Strategy, which comprises five pillar areas that address the federal government’s goals to improve the nation’s cybersecurity.
April 2023
The Cybersecurity and Infrastructure Security Agency (CISA), along with 17 other U.S. and international partners, released Secure by Design, an initiative that aims to shift the burden of software risk from consumers (buyers) to the producers of the software (development companies.)
(Read more)June 2023
CISA and the National Security Agency (NSA) released a Cybersecurity Information Sheet (CSI) on Defending Continuous Integration/Continuous Delivery (CI/CD) Environments, which outlines recommendations and best practices for improving defenses in the software development, security, and operations (DevSecOps) process.
(Read more)July 2023
The Securities and Exchange Commission (SEC) released a set of rules on “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure.” As of August 2023, SEC registrants will now have to disclose material cybersecurity incidents, and annually disclose “basic material information” about the company’s state of cybersecurity.
(Read more)September 2023
The Food and Drug Administration (FDA) released “Cybersecurity in Medical Devices: Quality System Consideration and Content of Premarket Submissions” as a reference document for device manufacturers, who must now report on their medical devices’ cybersecurity, in accordance with part (f) of Sec. 524B in H.R.2617.
(Read more)October 2023
CISA released guidelines for a “Software Identification Ecosystem,” with the goal of it being both a precise and generic resource that supports software “grouping.”
(Read more)November 2023
As a part of its second phase of the “Securing the Software Supply Chain” guide, the ESF working panel released “Securing the Software Supply Chain: Recommended Practices for Software Bill of Materials Consumption,” which is meant for developers, suppliers, and customers.
(Read more)
