The release of the https://thenewstack.io/nsa-software-supply-chain-guidance/, Cybersecurity and Infrastructure Security Agency (CISA) and the Office of the Director of National Intelligence (DNI), office of the director of national intelligence https://www.dni.gov/ and CISA https://www.cisa.gov/uscert/sites/default/files/publications/ESF_SECURING_THE_SOFTWARE_SUPPLY_CHAIN_DEVELOPERS.PDF reflects more of the industry-wide lack of proper security for the supply chain than it does as a working document organizations can use. It follows President Biden’s May 2021 Executive Order on cybersecurity. It listed supply chain-specific mandates, such as how software supplies must provide https://advisory.kpmg.us/blog/2020/what-are-sboms.html when working with the U.S. government.
“Securing the Software Supply Chain for Developers” is at least a step in the right direction.
Still, the NSA’s guidelines reflect how the industry is moving towards realizing, discussing and hopefully commoditizing tools and processes to one day make the supply chain at least reasonably secure.