Cyberattacks are conducted via cyberspace and target an enterprise’s use of cyberspace for the
purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment or
infrastructure; or destroying the integrity of the data or stealing controlled information.1
Recent cyberattacks such as those executed against SolarWinds and its customers, and exploits that
take advantage of vulnerabilities such as Log4j, highlight weaknesses within software supply
chains, an issue which spans both commercial and open source software and impacts both private
and Government enterprises. Accordingly, there is an increased need for software supply chain
security awareness and cognizance regarding the potential for software supply chains to be
weaponized by nation state adversaries using similar tactics, techniques, and procedures (TTPs).
In response, the White House released an Executive Order on Improving the Nation’s Cybersecurity
(EO 14028). EO 14028 establishes new requirements to secure the federal government’s software
supply chain. These requirements involve systematic reviews, process improvements, and security
standards for both software suppliers and developers, in addition to customers who acquire
software for the Federal Government.
Similarly, the Enduring Security Framework2 (ESF) Software Supply Chain Working Panel has
established this guidance to serve as a compendium of suggested practices for developers,
suppliers, and customer stakeholders to help ensure a more secure software supply chain. This
guidance is organized into a three part series: Part 1 of the series focuses on software developers;
Part 2 focuses on software suppliers; and Part 3 focuses on software customers.
Customers (acquiring organizations) may use this guidance as a basis of describing, assessing, and
measuring security practices relative to the software lifecycle. Additionally, suggested practices
listed herein may be applied across the acquisition, deployment, and operational phases of a
software supply chain.
The software supplier (vendor) is responsible for liaising between the customer and software
developer. Accordingly, vendor responsibilities include ensuring the integrity and security of
software via contractual agreements, software releases and updates, notifications, and mitigations
of vulnerabilities. This guidance contains recommended best practices and standards to aid
suppliers in these tasks.
This document will provide guidance in line with industry best practices and principles which
software developers are strongly encouraged to reference. These principles include security
requirements planning, designing software architecture from a security perspective, adding
security features, and maintaining the security of software and the underlying infrastructure (e.g.,
environments, source code review, testing).