Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock (
) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Software Cybersecurity for Producers and Purchasers
Software Supply Chain Security Guidance Under Executive Order (EO) 14028 Section 4e
NIST is publishing guidance identifying practices that enhance the security of the software supply chain as part of its assignments to enhance the security of the software supply chain called for by a May 12, 2021, Presidential Executive Order on Improving the Nation's Cybersecurity (14028). To gather extensive input on practices to include, NIST solicited position papers, held two workshops, consulted with other federal agencies, and reviewed existing federal guidance.
This document starts by explaining NIST’s approach for addressing Section 4e. Next, it defines guidelines for federal agency staff who have software procurement-related responsibilities (e.g., acquisition and procurement officials, technology professionals). These guidelines are intended to help federal agency staff know what information to request from software producers regarding their secure software development practices. This document concludes with Frequently Asked Questions (FAQ) offering additional information.
- Introduction
- Guidance Purpose and Scope
- Terminology
- Attesting to Conformity with Security Software Development Practices
- FAQs
Software Supply Chain Security Guidance Under Executive Order (EO) 14028 Section 4e (February 4, 2022)