Unmitigated vulnerabilities in the software supply chain continue to pose a significant risk to organizations and our nation. This paper builds on the previously released Recommended Practices Guide for a software supply chain’s development, production and distribution, and management processes, to further increase the resiliency of these processes against compromise. This guidance also builds on and supports the Office of Management and Budget memorandum on Enhancing the Security of the Software Supply Chain through Secure Software Development Practices (M-23-16)4.
All organizations, whether they are a single developer or a large industry company, have an ongoing responsibility to maintain software supply chain security practices in order to mitigate risks, but the organization’s role as a developer, supplier or customer of software in the software supply chain lifecycle will continue to determine the shape and scope of this responsibility. The information contained in this guidance supports development activities of a single developer as well as activities of large industry companies. Activities should be planned for and acted upon one at a time, solidifying the new technique in the process before adding the next to be successful.