Software Security in Supply Chains: Frequently Asked Questions

NIST’s response to EO 14028 Section 4(c) was initially developed and contained within Appendix F of SP 800-161r1upd1, to ensure that it received sufficient public comment and review within the EO-designated timelines. Though traceability with Appendix F remains in SP 800-161r1, the content has been relocated online to:

• Allow for colocation with related EO 14028 guidance under NIST’s purview
• Enable updates to more areas of evolving guidance without directly impacting SP 800-161r1 
• Provide traceability and linkage with other NIST web-based assets as and when they move online to encourage dynamic and interactive engagement with the public

This guidance consolidates existing industry standards, tools, and recommended practices from SP 800-161r1 and subsequent guidance on NIST’s EO 14028 webpage. It also provides evolving standards, tools, and recommended practices from over 150 position papers submitted in advance of NIST’s June 2021 Enhancing Software Supply Chain Security Workshop, federal software supply chain security working groups, and an array of public and private industry partnerships.

Full Question: I have software procurement-related responsibilities (e.g., acquisition and procurement officials, technology professionals) for my agency and suspect that I may need to provide enhanced attestation guidance based on the risk that a producer poses to my agency. What guidance should I reference to adequately vet the purchaser?

Consult SP 800-161r1, Section 3 to contextualize attestation activities utilizing a risk-based approach. Additional guidance may be found in Appendix D in the form of vendor risk assessment templates and Appendix E, which expounds on FOCI and other higher risk scenarios.

Per Appendix E of SP 800-161r1, FOCI is defined as: 
…ownership of, control of, or influence over the source or covered article(s) by a foreign interest (foreign government or parties owned or controlled by a foreign government, or other ties between the source and a foreign government) that has the power, direct or indirect, whether or not exercised, to direct or decide matters affecting the management or operations of the company.

See NIST’s flagship C-SCRM guidance, SP 800-161r1. The publication’s broader C-SCRM control guidance, risk assessment approaches, and supplier templates further guide implementation and provide recommendations for organizations seeking to iteratively improve their C-SCRM programs. 

See NIST’s flagship C-SCRM guidance, SP 800-161r1. The publication’s broader C-SCRM control guidance, risk assessment approaches, and supplier templates further guide implementation and provide recommendations for organizations seeking to iteratively improve their C-SCRM programs. 

NIST’S RESPONSE TO SECTION 4(d)

EO 14028 Section 4(d) stipulates that software supply chain security guidance and associated publications must be regularly maintained. NIST recognizes that this discipline is rapidly evolving and that many topics, capabilities, and guidance discussed herein will similarly evolve. As such, NIST will apply the policies and processes for the life cycle management of cryptographic standards and guidelines described in IR 7977, to periodically review and update the guidelines described in Section 4(d) of EO 14028.

NIST’s Framework Update Process describes how NIST:

1. Continually and regularly engages in community outreach activities by attending and participating in meetings, events, and roundtable dialogs 
2. Solicits direct feedback from industry through requests for information (RFI), requests for comments (RFC), and NIST team email 
3. Observes and monitors relevant resources and references that are published by government, academia, and industry, including descriptions of Framework use

Together, IR 7977 and the Framework Update Process illustrate the procedures that will be followed to periodically review and update the guidelines described in Section 4(d).

Following the initial publication of this guidance, OMB released M-22-18, which outlines additional guidance for federal departments and agencies seeking to obtain attestations of secure software development practices from their third-party suppliers. The section on Attesting to Conformity With Secure Software Development Practices has been revised to reflect this development.

Additional revisions have been made across the Evolving Standards, Tools, and Recommended Practices section to clarify roles and responsibilities for organizations seeking to implement a recommended practice.