🌐
NIST
nist.gov › itl › executive-order-14028-improving-nations-cybersecurity › software-supply-chain-security-guidance
Software Supply Chain Security Guidance | NIST
May 5, 2022 - Section 4 of the EO directs NIST to solicit input from the private sector, academia, government agencies, and others and to identify existing or develop new standards, tools, best practices, and other guidelines to enhance software supply chain security. Those guidelines are to include: ... Based on more than 150 responses to a call for position papers, multiple workshops, and responses to draft documents, NIST has produced a series of guidance resources.
🌐
NIST
nist.gov › itl › executive-order-14028-improving-nations-cybersecurity › software-supply-chain-security-guidance-13
Software Security in Supply Chains | NIST
November 1, 2024 - To support the prioritization and practical implementation of evolving software supply chain security recommendations, guidance is presented in the Foundational, Sustaining, and Enhancing practices paradigm in SP 800-161r1.
People also ask

What is a Software Supply Chain Attack?
According to the “Defending Against Software Supply Chain Attacks” guide, a software supply chain attack occurs when a threat actor infiltrates a vendor network and employs malicious code to compromise the software product before the vendor sends it to their customers. The affected software and data then compromise the customer’s system and data, creating malicious options for the threat actors. Security measures of both the vendor and their customers can be circumvented, allowing unauthorized privileged and persistent access to the target’s networks.
🌐
hyperproof.io
hyperproof.io › home › nist recommendations for defending against software supply chain attacks
NIST Recommendations for Defending Against Software Supply Chain ...
How to Prevent Software Supply Chain Attacks
Given the sparsity of rapid mitigation options in the event of a software supply chain attack (because the victim organization doesn’t have the authority to command a timely response from their software vendor), it’s far more beneficial to invest in preventive measures.
🌐
hyperproof.io
hyperproof.io › home › nist recommendations for defending against software supply chain attacks
NIST Recommendations for Defending Against Software Supply Chain ...
What are preventative measures to stop software supply chain attacks?
1. Use a risk management lens when purchasing software 2. Ask prospective vendors for compliance verifications 3. Ask vendors about their software development life cycle (SDLC) practices 4. Use formal risk management and secure software development frameworks
🌐
hyperproof.io
hyperproof.io › home › nist recommendations for defending against software supply chain attacks
NIST Recommendations for Defending Against Software Supply Chain ...
🌐
NIST CSRC
csrc.nist.gov › pubs › other › 2022 › 02 › 04 › software-supply-chain-security-guidance-eo-14028-s › final
Software Supply Chain Security Guidance Under Executive Order (EO) 14028 Section 4e | CSRC
February 4, 2022 - Executive Order (EO) 14028 on Improving the Nation’s Cybersecurity, May 12, 2021, directs the National Institute of Standards and Technology (NIST) to publish guidance on practices for software supply chain security. This document starts by explaining NIST’s approach for addressing Section 4e.
🌐
Scrut
scrut.io › blog › all frameworks › nist guidelines: safeguarding from software supply chain attacks
NIST Guide: Protecting Against Supply Chain Attacks
March 11, 2026 - It provides a foundation that organizations can build upon to address emerging threats and challenges in the software supply chain. NIST provides guidance on incorporating AI and ML into cybersecurity practices.
🌐
Anchore
anchore.com › blog › nist-software-supply-chain-security
NIST's Comprehensive Approach to Software Supply Chain Security | Anchore
September 13, 2023 - NIST is signaling they want to help move the goal in how the industry should approach software supply chain security. In this instance by emphasizing CI/CD pipelines, NIST is highlighting the importance of the processes that drive software development and deployment, rather than just the end product. While there’s no shortage of guidance on CI/CD pipelines, much of the existing literature is either outdated or too narrow in scope.
🌐
Digitaloceanspaces
ismg-cdn.nyc3.cdn.digitaloceanspaces.com › asset_files › external › nistsp800-204d.pdf pdf
Strategies for the Integration of Software Supply Chain ...
Supply chain security measures also apply to controls during the CD process. The following are · some due diligence measures that should be used during CD. These measures can be · implemented by defining verification policies for allowing or disallowing an artifact for ... Application with Service Mesh. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) NIST SP 800-204C.
Find elsewhere
🌐
Hyperproof
hyperproof.io › home › nist recommendations for defending against software supply chain attacks
NIST Recommendations for Defending Against Software Supply Chain Attacks
January 14, 2026 - We recommend using a formal Cyber-Supply Chain Risk Management (C-SCRM) approach teamed with a Secure Software Development Framework (SSDF) to more effectively identify, assess, and mitigate risks.
🌐
NIST
nist.gov › news-events › news › 2022 › 05 › nist-updates-cybersecurity-guidance-supply-chain-risk-management
NIST Updates Cybersecurity Guidance for Supply Chain Risk Management | NIST
February 3, 2025 - The revised publication, formally titled Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (NIST Special Publication 800-161 Revision 1), provides guidance on identifying, assessing and responding to cybersecurity ...
🌐
Bitsight
bitsight.com › blog › new-nist-software-supply-chain-security-guidance-recommends-use-security-ratings
New NIST Software Supply Chain Security Guidance Recommends Use of Security Ratings | Bitsight
June 29, 2022 - Leveraging commercially-available tools like security ratings ... The NIST guidance was required from the May 2021 U.S. Executive Order (EO) on Improving the Nation’s Cybersecurity. The EO includes provisions designed to improve software supply chain security, including methods to reduce vulnerabilities in the software developed, as well as the cybersecurity practices of the software developers and suppliers themselves.
🌐
CSO Online
csoonline.com › home › security › application security › devsecops
NIST provides solid guidance on software supply chain security in DevSecOps | CSO Online
May 16, 2025 - The latest release comes from the US National Institute of Standards and Technology (NIST), in its special publication 800-204, also known as “Strategies for the Integration of Software Supply Chain Security in DevSecOps CI/CD Pipelines.”
🌐
Oligo Security
oligo.security › academy › ultimate-guide-to-software-supply-chain-security-in-2025
Ultimate Guide to Software Supply Chain Security in 2025
NIST guidelines emphasize identifying critical suppliers, securing development environments, assessing third-party software, and maintaining a thorough incident response plan. These documents serve as foundational resources for aligning with ...
🌐
NIST
nist.gov › itl › executive-order-14028-improving-nations-cybersecurity › software-supply-chain-security-guidance-12
Software Supply Chain Security Guidance: FAQs | NIST
February 4, 2022 - 1 (Second Draft), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations. Are any other parts of EO 14028 related to this guidance? Yes. Section 4n references section 4k, which was discussed in the introduction to ...
🌐
Sonatype
sonatype.com › resources › state-of-the-software-supply-chain-2022 › regulation-standards
The Expansion of Software Supply Chain Regulations
In May 2022, NIST provided additional, comprehensive guidance in "Software Security in Supply Chains" related to the "acquisition, use, and maintenance of third-party software." The guidance also offered recommended concepts and capabilities ...
🌐
FOSSA
fossa.com › home › learn › software supply chain security
The Complete Guide to Software Supply Chain Security | FOSSA Learning Center
No matter the size or reputation of a prospective software vendor, it's always a good idea to conduct some form of security vetting. The SolarWinds breach was certainly a reminder of that. As a starting point, requesting a software bill of materials can help organizations gain visibility into potential vulnerabilities — we highlighted several benefits of consuming SBOMs earlier in this guide. NIST's publication on the minimum required elements of an SBOM offers a good baseline as to the type of data that should be included. (However, NIST's guidance is only mandatory for organizations selling into the U.S.
🌐
Reddit
reddit.com › r › NISTControls › comments › 13wn312 › executive_order_nist_800218
Executive Order - NIST 800-218 : r/NISTControls
May 31, 2023 - Anyone else mildly confused by the executive order from Biden, where Federal Agencies need to comply with NIST 800-218? Reading through all of the documentation, I am stuck on if we as a "software" company need to comply and/or the software we use to develop our software needs to comply...
🌐
NIST CSRC
csrc.nist.gov › pubs › sp › 800 › 161 › r1 › final
NIST Special Publication (SP) 800-161 Rev. 1 (Withdrawn), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations
May 5, 2022 - These risks are associated with ... and services. This publication provides guidance to organizations on identifying, assessing, and mitigating cybersecurity risks throughout the supply chain at all levels of their organizations....
🌐
NIST
nist.gov › document › guidance-supply-chain-security-under-eo-14028-section-4c4d pdf
Software Security in Supply Chains Introduction
NIST’s foundational C-SCRM guidance, SP 800-161, Rev. 1, Cybersecurity · Supply Chain Risk Management Practices for Systems and Organizations; ... NIST’s EO webpage. To support the prioritization and practical implementation of evolving software supply · chain security recommendations, guidance is presented in the Foundational, Sustaining,
🌐
NIST
nist.gov › document › software-supply-chain-security-guidance-under-executive-order-eo-14028-section-4e pdf
Software Supply Chain Security Guidance Under Executive ...
February 4, 2022 - NIST promotes U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.
🌐
Kslawllp
kslawllp.com › data-governance › nist-releases-software-supply-chain-security-guidance-in-response-to-eo-14028
NIST Releases Software Supply Chain Security Guidance in Response to EO 14028 — Kennedy Sutherland LLP
August 12, 2024 - In addition to the enhanced scrutiny ... the following: “Perform additional scrutiny on vendor SDLC capabilities, security posture, and risks associated with Foreign Ownership, Control, or Influence; Requiring vendors to ...
🌐
NIST
nist.gov › itl › executive-order-14028-improving-nations-cybersecurity › software-supply-chain-security-guidance-7
Software Cybersecurity for Producers and Purchasers | NIST
May 5, 2022 - NIST is publishing guidance identifying practices that enhance the security of the software supply chain as part of its assignments to enhance the security of the software supply chain called for by a May 12, 2021, Presidential Executive Order ...