Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Information Technology Laboratory

Executive Order 14028, Improving the Nation's Cybersecurity

Software Security in Supply Chains: Software Verification

NIST’s third initiative in response to EO 14028 resulted in the July 2021 release of the Minimum Standards for Vendor or Developer Verification of Software. These guidelines focus primarily on developers who supply secure products and services to federal agencies. Technical descriptions and explanations for the guidelines were released as IR 8397, Guidelines on Minimum Standards for Developer Verification of Software, in October 2021.

At a minimum, agencies should familiarize themselves with these guidelines and ensure that applicable recommended baseline practices are being performed by their suppliers, developers, system integrators, external system service providers, and other ICT/OT-related service providers.

As with the security measures for critical software use, these recommended practices can be operationalized through the lens of SP 800-161r1’s acquisition guidance. Table 5 outlines how the minimum software verification techniques can be used by federal agencies in conjunction with existing C-SCRM controls, control enhancements, and supplemental guidance from the lens of the acquirer.

Table F‑5: C-SCRM Control and Security Measure Crosswalk

Control Identifier	Control Name	EO Minimum Software Verification Technique Impact
AU-12	Audit Record Generation	Expand examples of “supply chain auditable events” to include supplier attestation or third-party validation that all relevant minimum software verification techniques were performed and passed. Attestation should accompany each installation, deployment, and/or upgrade of software.
SA-3	System Development Life Cycle	Integrate all applicable minimum software verification techniques into a supplier’s traditional SDLC activities.
SA-4	Acquisition Process	Include all applicable minimum software verification techniques into a supplier’s requirements for functional properties, configuration, and implementation information, as well as any development methods, techniques, or practices that may be relevant. To differentiate between assurance activities and their effectiveness, evaluation factors should include means for weighing the inclusion of each applicable minimum software verification technique, monitoring progress, and remediating findings.
SA-8	Security Engineering Principles	Incorporate threat modelling, fuzzing, and automation to determine the maximum possible ways that the ICT/OT product or service can be misused and abused by a supplier. Expand the supplier’s security mechanisms to include the built-in checks and protections verification technique.
SA-9	External System Services	Ensure that minimum software verification techniques and results are documented alongside a supplier’s cyber supply chain threats, vulnerabilities, and associated risks.
SA-10	Developer Configuration Management	Mandate that the supplier’s developer configuration management activities include checking software for known vulnerabilities and applying remediations and/or compensating controls to resolve or mitigate identified vulnerabilities.
SA-11	Developer Testing and Evaluation	Supplement suggested C-SCRM-relevant testing with all applicable minimum software verification techniques.
SA-15	Development Process, Standards, and Tools	Enhance threat modeling and vulnerability analysis activities to include the minimum software verification techniques, where applicable.
SA-22	Unsupported System Components	Incorporate automated testing and built-in checks, and address code (e.g., libraries, packages, services) verification techniques to proactively identify unsupported systems or system subcomponents.
SR-6	Supplier Assessment and Reviews	Augment baseline factors and assessment criteria to include a supplier’s minimum software verification techniques, where applicable.
SR-9	Tamper Resistance and Detection	Augment tamper resistance and detection control to include a supplier’s minimum software verification techniques, where applicable.
SR-11	Component Authenticity	Use automated scanning, and check included software techniques to continuously monitor configuration controls for component service and repair activities as well as anti-counterfeit scanning.
SI-7	Software, Firmware, and Information Integrity	Expound on applicable verification tools to include all minimum software verification techniques, where applicable.
CM-3	Configuration Change Control	Incorporate automated scanning, fuzzing, and other built-in checks and protections into testing, validation, and the documentation of changes to control for supplier misconfiguration risks.
CM-6	Configuration Settings	Codify automated management, application, and verification activities to include all applicable minimum software verification techniques.
CM-10	Software Usage Restrictions	Mandate the use of all applicable software verification techniques when utilizing open-source software components or licensed software.

Content:

Information technology and Cybersecurity

Created May 3, 2022, Updated November 1, 2024