The U.S. government has issued an executive order to improve cybersecurity across federal supply chains, particularly focusing on software security risks. The order directs the National Institute of Standards and Technology (NIST) to develop guidelines for evaluating software security and the practices of software developers and suppliers.
NIST has published preliminary guidelines based on existing industry standards and practices, following the Foundational, Sustaining, and Enhancing practices paradigm. These guidelines are considered “recommended” practices rather than mandatory requirements, as NIST typically provides recommendations to both public and private organizations.
The guidelines aim to enhance software supply chain security by evaluating software security criteria, assessing the security practices of developers and suppliers, and identifying innovative tools or methods to demonstrate secure practices. NIST will continue to develop and update these guidelines periodically.
Keywords: Cybersecurity, Supply Chain, Risk Management, NIST, Guidelines
