With major software supply chain attacks including the SunBurst attack on SolarWinds in 2020 and the critical vulnerability Log4j, software security moved front and center for risk managers and software teams alike. These incidents, along with a string of other attacks that span the past few decades, show the problem is only getting worse as bad actors target an increasingly complex process for building software — and the software development toolchain itself.
The problem has accelerated dramatically in the past three years, with software supply chain threats via open-source repositories skyrocketing by 1300% between 2020 and 2023, catching security teams off guard. Also: Nearly nine out of 10 security and IT professionals surveyed in a 2023 study said that their companies detected security issues in their software supply chains in the last 12 months.
The problem of software supply chain security has also caught the attention of the U.S. federal government, which has been very active over the past few years in seeking to tackle the problem head on. Those efforts include the White House's Executive Order on Improving the Nation’s Cybersecurity, released in May 2021, and a flurry of other critical initiatives and guidance that have followed, including the Secure by Design initiative in 2023.
Here is a definitive timeline of the U.S.'s major software supply chain policy initiatives and mandates:
The White House released an Executive Order (EO) on Improving the Nation’s Cybersecurity (14028). The EO aims to improve several areas of cybersecurity, including software supply chain security.
The NTIA introduced the Vulnerability Exploitability eXchange (VEX), which was created to “fill a particular need regarding use of software bills of materials."
The Cybersecurity and Infrastructure Security Agency (CISA), along with 17 other U.S. and international partners, released Secure by Design, an initiative that aims to shift the burden of software risk from consumers (buyers) to the producers of the software (development companies.)
CISA and the National Security Agency (NSA) released a Cybersecurity Information Sheet (CSI) on Defending Continuous Integration/Continuous Delivery (CI/CD) Environments, which outlines recommendations and best practices for improving defenses in the software development, security, and operations (DevSecOps) process.
The Securities and Exchange Commission (SEC) released a set of rules on “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure.” As of August 2023, SEC registrants will now have to disclose material cybersecurity incidents, and annually disclose “basic material information” about the company’s state of cybersecurity.
The Food and Drug Administration (FDA) released “Cybersecurity in Medical Devices: Quality System Consideration and Content of Premarket Submissions” as a reference document for device manufacturers, who must now report on their medical devices’ cybersecurity, in accordance with part (f) of Sec. 524B in H.R.2617.
As a part of its second phase of the “Securing the Software Supply Chain” guide, the ESF working panel released “Securing the Software Supply Chain: Recommended Practices for Software Bill of Materials Consumption,” which is meant for developers, suppliers, and customers.
Get up to speed on key trends and understand the landscape with The State of Software Supply Chain Security 2024. Plus: Learn about ReversingLabs Spectra Assure for software supply chain security.
- Update your understanding: Buyer's Guide for Software Supply Chain Security
- Join the Webinar: Why you need to upgrade your AppSec for the new era
- Get the report and take action: The State of Supply Chain Security 2024
- See the Webinar: State of Software Supply Chain Security 2024
- See Gartner's guidance on managing software supply chain risk