The Federal Government relies on information and communications technology (ICT) products and services to carry out critical functions. The global supply chain for these technologies faces relentless threats from nation state and criminal actors seeking to steal sensitive information and intellectual property, compromise the integrity of Government systems, and conduct other acts that impact the United States Government’s ability to safely and reliably provide services to the public.
Executive Order (EO) 14028, Improving the Nation’s Cybersecurity (May 12, 2021),1 focuses on the security and integrity of the software supply chain and emphasizes the importance of secure software development environments. The EO directs the National Institute of Standards and Technology (NIST) to issue guidance “identifying practices that enhance the security of the software supply chain.”2 The NIST Secure Software Development Framework (SSDF), SP 800- 218,3 and the NIST Software Supply Chain Security Guidance4 (these two documents, taken together, are hereinafter referred to as “NIST Guidance”) include a set of practices that create the foundation for developing secure software. The EO further directs the Office of Management and Budget (OMB) to require agencies to comply with such guidelines. This memorandum requires agencies to comply with the NIST Guidance and any subsequent updates.
“The guidance released today will help us build trust and transparency in the digital infrastructure that underpins our modern world and will allow us to fulfill our commitment to continue to lead by example while protecting the national and economic security of our country,” Chris DeRusha, Federal Chief Information Security Officer and Deputy National Cyber Director, said.