Software is a critical component of the larger challenge of managing cybersecurity related to supply chains. Section 4 of the EO directs NIST to solicit input from the private sector, academia, government agencies, and others and to identify existing or develop new standards, tools, best practices, and other guidelines to enhance software supply chain security. Those guidelines are to include:
- criteria to evaluate software security,
- criteria to evaluate the security practices of the developers and suppliers themselves, and
- innovative tools or methods to demonstrate conformance with secure practices.
Based on more than 150 responses to a call for position papers, multiple workshops, and responses to draft documents, NIST has produced a series of guidance resources.
