Sec. 4. Enhancing Software Supply Chain Security.
(a) The security of software used by the Federal Government is vital to the Federal Government’s ability
to perform its critical functions. The development of commercial software often lacks transparency,
sufficient focus on the ability of the software to resist attack, and adequate controls to prevent
tampering by malicious actors. There is a pressing need to implement more rigorous and predictable
mechanisms for ensuring that products function securely, and as intended. The security and integrity of
“critical software” — software that performs functions critical to trust (such as affording or requiring
elevated system privileges or direct access to networking and computing resources) — is a particular
concern. Accordingly, the Federal Government must take action to rapidly improve the security and
integrity of the software supply chain, with a priority on addressing critical software.
(b) Within 30 days of the date of this order, the Secretary of Commerce acting through the Director of
NIST shall solicit input from the Federal Government, private sector, academia, and other appropriate
actors to identify existing or develop new standards, tools, and best practices for complying with the
standards, procedures, or criteria in subsection (e) of this section. The guidelines shall include criteria
that can be used to evaluate software security, include criteria to evaluate the security practices of the
developers and suppliers themselves, and identify innovative tools or methods to demonstrate
conformance with secure practices.
(c) Within 180 days of the date of this order, the Director of NIST shall publish preliminary guidelines,
based on the consultations described in subsection (b) of this section and drawing on existing
documents as practicable, for enhancing software supply chain security and meeting the requirements
of this section.
(d) Within 360 days of the date of this order, the Director of NIST shall publish additional guidelines that
include procedures for periodic review and updating of the guidelines described in subsection (c) of this
section.
(e) Within 90 days of publication of the preliminary guidelines pursuant to subsection (c) of this section,
the Secretary of Commerce acting through the Director of NIST, in consultation with the heads of such
agencies as the Director of NIST deems appropriate, shall issue guidance identifying practices that
enhance the security of the software supply chain. Such guidance may incorporate the guidelines
published pursuant to subsections (c) and (i) of this section. Such guidance shall include standards,
procedures, or criteria regarding:
(i) secure software development environments, including such actions as: (A) using administratively
separate build environments; (B) auditing trust relationships; (C) establishing multi-factor, risk-based
authentication and conditional access across the enterprise; (D) documenting and minimizing
dependencies on enterprise products that are part of the environments used to develop, build, and edit
software; (E) employing encryption for data; and (F) monitoring operations and alerts and responding to
attempted and actual cyber incidents;
(ii) generating and, when requested by a purchaser, providing artifacts that demonstrate conformance
to the processes set forth in subsection (e)(i) of this section;
(iii) employing automated tools, or comparable processes, to maintain trusted source code supply
chains, thereby ensuring the integrity of the code;
