Argon (now part of Aqua Security) approached the Center for Internet Security (CIS) with the
idea of developing a CIS Benchmark for Software Supply Chain Security. CIS has developed
and published secure configuration guidance (i.e., CIS Benchmarks) covering a wide variety
of technologies for many years, but the concept of creating a Benchmark for Software
Supply Chain Security presented a new set of issues. There are a variety of technologies and
platforms commonly used for developing modern software, so which should be covered? How
do we ensure consistent security recommendations across the various platforms?
It was decided that instead of diving into creating a specific Benchmark initially, a more
generic guidance set would be created first to act as the parent for the more specific guidance
to come. Thus, the CIS Software Supply Chain Security Guide was born. The hope with the
publication of this Guide is to elicit feedback from the global community that will help ensure
the future platform-specific guidance (CIS Benchmarks) is even more accurate and relevant.