Establishment and Expansion of Software Supply Chain Regulations and Standards

Worldwide, we continue to see a push for digital transformation not only in the private sector but increasingly through government guidance and regulation. In 2022, the European Union Agency for Cybersecurity (ENISA) identified the compromise of software supply chains through software dependencies as the foremost emerging threat. Recognizing the profound implications of cyber threats to national security and economic stability, the United States (US) and the European Union (EU) have taken the lead in orchestrating robust regulatory frameworks and providing substantive guidance to fortify defenses against escalating cyber risks. Their comprehensive approach to cybersecurity includes stringent requirements for critical infrastructure sectors, enactment of rigorous data protection laws, and enhancement of international cooperation to combat cybercrime.

However, various regions across the globe are experiencing notable surges in cybersecurity endeavors outside the US and EU. Canada, Japan, Australia, Germany, and others are acknowledging the criticality of securing software supply chains by drafting legislation and building capabilities to thwart cyber threats. While the bulk of documented guidance and regulation is coming from the US and EU, it’s clear the pressing need to safeguard the digital realm is a global imperative.

What’s happening around the world?

Click on a region of the map for an update on governance and regulations in 2023


What’s happening in the United States?

Further US analysis


What’s happening in the European Union

  • September 15, 2022, the first draft of the Cyber Resilience Act (CRA), which throughout 2023 has been widely criticized by the Open Source Software community as potentially restrictive and detrimental to the open source community in Europe and beyond.
  • On the heels of the CRA, draft updates to the Product Liability Directive (PLD) include specific attention to increasing liability related to Open Source Software projects and have produced negative feedback from the OSS community in line with the CRA.
  • January 16, 2023, Network and Information Security Directive (NIS2 Directive), which was approved in 2022 and aims to set new standards for cybersecurity within the European Union, is put into force with an October 17, 2024 deadline for members of the EU to have the directive implemented.

Further EU analysis


What’s happening in Australia

Read more on the Quad Cyber Security Partnership


What’s happening in Canada

Further Canada analysis


What’s happening in Germany

  • In April 2023, Germany’s Federal Office for Information Security (BSI) contributed to the publication from the Australian Cyber Security Center (ACSC) “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and Default.” The document indicates a shift in placing responsibility of cybersecurity to software organizations.
More on the Shifting Balance of Cybersecurity Risk document.

What’s happening in India

Read more on the Quad Cyber Security Partnership


What’s happening in Japan

Read more on the Quad Cyber Security Partnership

flag-New Zealand

What’s happening in New Zealand

  • In April 2023, New Zealand's National Cyber Security Centre (NCSC-NZ) and Computer Emergency Response Team New Zealand (CERT NZ) contributed to the publication from the Australian Cyber Security Center (ACSC) “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and Default.” The document indicates a shift in placing responsibility of cybersecurity on software organizations.

More on the Shifting Balance of Cybersecurity Risk document


What’s happening in the United Kingdom

  • In December 2022, the UK government unveiled an update to its Government Cyber Security Strategy regarding supply chain vulnerabilities and assigned the Department for Digital, Culture, Media, and Sport (DCMS) to implement Network and Information Systems (NIS) regulations in collaboration with the National Cyber Security Centre. 
  • In February 2023, the UK government called for views on software resilience and security for businesses and organizations as a follow-up to the July 2022 proposed legislation on enhancing the country’s cyber resilience.
  • In April 2023, the United Kingdom’s National Cyber Security Centre (NCSC-UK) contributed to the publication of the Australian Cyber Security Center (ACSC) “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and Default.” The document indicates a shift in placing responsibility of cybersecurity to software organizations.

More on the Shifting Balance of Cybersecurity Risk document

United States


National Cybersecurity Strategy

The National Cybersecurity Strategy (NCS) has been hailed as the foundational document for advancing cybersecurity and is shaping legislation globally. Its comprehensive content underscores the urgency of enhancing cybersecurity both in the US and internationally. Addressing a wide range of areas from infrastructure — related to incidents like SolarWinds and NotPetya — to software bill of materials (SBOM) alignment with Executive Order (EO) 14028, the NCS emphasizes the growing importance of security in software design. Moreover, it underscores impending changes in accountability for software manufacturers. Specifically, organizations unable to prove security is inherently integrated into their software design will face increased responsibilities and liabilities.

The National Cybersecurity Strategy underscores the impending changes in accountability and liability for software manufacturers in the US.

Securing Open Source Software Act of 2023 

In March 2023, Congress introduced legislation "to establish the duties of the Director of the Cybersecurity and Infrastructure Security Agency regarding open source software security, and for other purposes."

AI for National Security Act

In March 2023, the House Armed Services Committee introduced legislation "to make certain improvements to the enterprise-wide procurement of cyber data products and services by the Department of Defense and for other purposes." In subsection (b), it inserts "including by enhancing the security of the software supply chain of the Department" after "best interests of the Department."

FDA Cybersecurity in Medical Devices

On December 29, 2022, the Consolidated Appropriations Act, 2023 ("Omnibus") became law. Within it, Section 3305 titled "Ensuring Cybersecurity of Medical Devices" updated the Federal Food, Drug, and Cosmetic Act (FD&C Act) by introducing Section 524B on device cybersecurity. According to the Omnibus, cybersecurity mandates won't apply to applications or submissions made to the Food and Drug Administration (FDA) before March 29, 2023.

SEC regulations

Similar to the FDA, the Securities and Exchange Commission (SEC) proposed a number of rules (33-11028, 33-11038, 34-91742) for public companies, the securities market, advisers, funds, and others within SEC's regulatory scope. This move responds to various findings, including those by the FBI and Congress as well as Cybersecurity and Infrastructure Security Agency (CISA), that state "cybersecurity incidents are underreported." 

Among the new rules are requirements for organizations to demonstrate the development of robust processes and procedures for vulnerability management, detection, mitigation, and remediation. In addition to these requirements, the SEC has proposed specific rules concerning the disclosure of said processes and procedures. 

In July 2023, the SEC adopted new rules compelling organizations to disclose significant cybersecurity incidents and provide annual cybersecurity risk management, strategy, and governance information, with comparable requirements for foreign private issuers. Registrants must also describe their cybersecurity risk assessment processes and board oversight in an annual report. 

SEC Chair Gary Gensler emphasized that any material event, including cybersecurity incidents, should be disclosed to benefit investors and the market. The rules mandate disclosing the specifics of a significant cybersecurity incident — namely, its nature, scope, timing, and impact — within four business days unless it's deemed a national security risk by the U.S. Attorney General, in which case it can be delayed. 

Secure Software Self-Attestation Common Form

In April 2023, this document was released for comments. It represents a sequence of events initiated by EO 14028, which directed National Institute of Standards and Technology (NIST) to provide guidance on secure software development standards. EO 14028 also directed the Office of Management and Budget (OMB) to require federal agencies to collect information from software manufacturers that supply software products to the US government. The OMB responded with M-22-18, setting the guidelines for requiring federal agencies to collect this information.

As part of these guidelines, software manufacturers must attest to using secure software development best practices highlighted in the memo and developed by NIST. While this is simply a first step, it aligns with the secure-by-design-and-default approach CISA has released. It incorporates secure software development best practices from NIST's Secure Software Development Framework (SSDF) and asks organizations providing software to the US government to self-attest that they have embedded this guidance into their software development process. 

The OMB's self-attestation policy will require software manufacturers doing business with the US government to attest to NIST guidelines based on CISA's secure-by-design and secure-by-default principles established in the National Cybersecurity Strategy.

National Cybersecurity Strategy Implementation Plan

In July 2023, the Biden-Harris Administration released the National Cybersecurity Strategy Implementation Plan (NCSIP) to align roles, responsibilities, and resources in cyberspace. 

It focuses on two shifts:

  • Greater burden-sharing in cybersecurity by major entities
  • Promotion of long-term cybersecurity investments
The plan outlines over 65 high-impact initiatives, from combating cybercrimes to building a skilled cyber workforce, which aligns to the five pillars outlined in the NCS:

Five pillars of the NCS

Pillar One:
Defending Critical Infrastructure

This pillar focuses on updating the National Cyber Incident Response Plan (NCIRP) to enhance coordination during cyber incidents and provide clear guidance to external partners, led by CISA.

Pillar four:
Investing in a Resilient Future

Focusing on cybersecurity standards and quantum-resistant cryptography, this pillar, led by NIST, aims to enhance US leadership in international cybersecurity standardization and quantum-resistant cryptographic algorithms.

Pillar Two:
Disrupting and Dismantling Threat ActorS

This pillar aims to combat ransomware and cybercrime with coordinated efforts, including disruption operations against ransomware ecosystems and offering resources to high-risk targets, co-chaired by CISA and the FBI.

Pillar five:
Forging International Partnerships to Pursue Shared Goals

This pillar involves development of international cyberspace and digital policy strategies, collaboration with partners and allies, and strengthening of knowledge and skills in cyberspace and digital policy, led by the Department of State.

Pillar three:
Shaping Market Forces and Driving Security and Resilience

This pillar, through efforts led by CISA, seeks to increase software transparency through SBOMs to reduce supply chain risks and explore a globally accessible database for end-of-life software.

Overall, the NCSIP emphasizes resilience, equity, and defense in cyberspace and is led by 18 government agencies and coordinated by the Office of the National Cyber Director (ONCD). The NCSIP aligns with the private sector, civil society, international partners, and government entities. It covers key areas like critical infrastructure defense, threat actor disruption, shaping of market forces, investing in resilience, and forging of international partnerships.

Cyber Strategy of the Department of Defense (Declassified)

In September 2023, the Department of Defense (DOD) released a declassified summary of its classified 2023 Cyber Strategy, aligning it with national security priorities. It builds on lessons learned from cyber operations and the Russia-Ukraine conflict, emphasizing collaboration with allies and partners. 

The strategy aims to maximize cyber capabilities for integrated deterrence, enhance cyber network defense, support non-DOD agencies, and safeguard the defense industrial base. Notably, it commits to bolstering collective cyber resilience among allies and integrating cyber capabilities into traditional warfighting efforts. This marks the fourth iteration of the DOD's cyber strategy, informed by significant experience in cyberspace operations.

CISA Open Source Software Security Roadmap

At the OpenSSF Secure Open Source Software Summit in September 2023, CISA announced its Open Source Software Security Roadmap, which outlines strategic goals and objectives for enhancing the security of open source software (OSS). 

The roadmap focuses on four key goals to guide CISA in enhancing OSS security, aligning with broader cybersecurity strategies, and fostering collaboration with the OSS community and international partners:

CISA’s key goals to enhance security of open source software

Data scientists and engineers tasked with deploying open source large language models (LLMs) shoulder a substantial burden, encompassing numerous critical decisions. Given how this dynamic can influence OSS security, CISA established the following goals:

Goal 1

Establish CISA’s role in supporting OSS security, partnering with OSS communities, and encouraging collective action.

Goal 3

Reduce risks to the federal government by evaluating solutions for secure OSS usage, developing open source program office (OSPO) guidance, and prioritizing federal actions in OSS security.

Goal 2

Drive visibility into OSS usage and risks, understanding the prevalence of OSS, developing a risk-prioritization framework, and assessing threats.

Goal 4

Harden the OSS ecosystem, advance SBOMs, foster security education for OSS developers, publish OSS security best practices, and coordinate OSS vulnerability disclosure and response.

NHTSA Cybersecurity Best Practices of Modern Vehicles

In September 2022, the United States Department of Transportation National Highway Traffic Safety Administration (NHTSA) published Cybersecurity Best Practices for the Safety of Modern Vehicles, a document aimed at addressing cybersecurity in modern vehicle manufacturing. 

Among many recommendations, the NHTSA guides manufacturers to demonstrate processes and procedures to inventory software assets, track details related to open source software components, continuously monitor and assess risk, and disclose vulnerabilities. Most of these recommendations are also backed by the International Organization of Standardization (ISO) cybersecurity standards.

European Union


Cyber Resilience Act

The Cyber Resilience Act (CRA) was proposed in September 2022, and it was met with mixed reviews. On the surface, it represents an improvement in holding manufacturers liable for the security of the software products they produce. However, it also represents a different direction for holding open source projects and creators liable for vulnerable software and attempts to potentially bring them in line with any traditional supplier. This approach presents interesting issues. 

Although open source software is part of the software supply chain, how someone uses the software is often outside the understanding and control of the creator or open source project itself. As currently formulated, the CRA carries the potential to pose substantial barriers to many open source projects and even the distributors of open source software, potentially limiting their accessibility to EU markets. In some cases, it may discourage involvement in open source software in the EU altogether, putting EU-based companies far behind innovation and efficiency leaps in other geographical areas.

As currently formulated, the CRA carries the potential to pose substantial barriers to many open source projects and even the distributors of open source software, potentially limiting their accessibility to EU markets.


Product Liability Directive

The Product Liability Directive (PLD) delineates rules and guidance for the liability and responsibility of manufacturers of defective products as well as suppliers of defective parts for those products. A proposed update in September 2022 marked a notable expansion encompassing software and digital products, which had been excluded previously. 

These updates put open source software and any related projects or activity within the potential sights of liability or responsibility associated with defects (i.e., vulnerabilities). For example, as written, there would be potential to find distributors of parts, such as Sonatype/Maven Central, liable for open source vulnerabilities resulting in loss or, in some cases, distress to software product customers.

Network and Information Security Directive

In December 2022, the European Parliament approved updates to the Network and Information Security Directive (NIS), referring to it going forward as NIS2. NIS2 is an evolution intended to modernize the approach of EU member nations towards cybersecurity. Among a host of updates, NIS2 includes call-outs for improved software supply chain security, greater attention to critical vulnerabilities, the increase of attacks via malicious threats, and the necessity of processes for disclosure and communication, such as Coordinated Vulnerability Disclosure (CVD). 

The updated Network and Information Security Directive (NIS2) will impose stringent compliance requirements by October 2024 based on newly defined business sector categories: Highly Critical, Critical, and Essential Entities.

NIS2 makes it clear that "businesses identified by the Member States as operators of essential services in the above sectors will have to take appropriate security measures and notify relevant national authorities of serious incidents. Key digital service providers, such as search engines, cloud computing services and online marketplaces, will have to comply with the security and notification requirements under the Directive." In addition, there are a number of requirements imposed based on different business categories: Highly Critical Sectors, Critical Sectors, and Essential Entities. In order to help countries address these requirements, ENISA published guidance documentation including Good Practices for Supply Chain Security. Failure to meet the requirements established within NIS2 can result in a number of sanctions.


On October 28, 2022, the Canadian Centre for Cyber Security (the Cyber Centre) released its National Cyber Threat Assessment 2023-2024, warning that state-sponsored and criminal cyber threats are increasingly likely to affect Canadians. The report highlights five key areas of concern: ransomware, critical infrastructure, state-sponsored threats, influence operations, and disruptive technologies. 

Among a number of criteria, the report also cites increased risk from remote work, more connected systems, and the proliferation of cybercrime tools. In assigning responsibility, the report points to threat actors in China, Russia, Iran, and North Korea that pose the greatest state-sponsored risk. In response, the Canadian government has invested in cybersecurity, including $875 million in its Budget 2022 to bolster defenses. 

In February 2023, the Cyber Centre published "Protecting your organization from software supply chain threats," which offers guidance and best practices for securing software supply chains. The document outlines the importance of minimizing software supply chain risk, including the ability of malware to compromise updates, and the importance of remediating vulnerabilities in OSS components. Recommendations include vetting suppliers, monitoring them continuously, and incorporating supply chain risk management into security programs. Finally, organizations should have recovery plans to ensure business continuity when software supply chain attacks occur.

Global partnerships


Quad Cybersecurity Partnership: Joint Principles for Secure Software

Published in May 2023, the "Quad Cybersecurity Partnership: Joint Principles for Secure Software" outlines the commitment of the Quad partners (the United States, Japan, India, and Australia) to enhance software security.

Main points of Quad Cybersecurity Partnership

Recognition of security risks

The Quad partners acknowledge the risks associated with the software supply chain being tampered with by adversarial and non-adversarial threats.

Secure software development practices

The document outlines high-level secure software development practices, including preparing the organization, protecting software and its development environment, producing well-secured software, and responding to vulnerabilities.

Promotion of secure software culture

The Quad partners aim to promote a culture where software security is a fundamental aspect of software development.

Government procurement guidelines

Each Quad country intends to adopt guidelines for government procurement of software, including self-attestation by software producers regarding secure development practices and encouraging participation in national vulnerability disclosure programs.

Minimum cybersecurity guidelines

The Quad partners commit to establishing minimum cybersecurity guidelines for governments to guide software development, procurement, and usage, aligned with international obligations and domestic laws.

Security measures for government software use

The Quad partners commit to implementing controls and processes to protect government software and platforms from unauthorized access and usage.

Engagement with the software industry

They plan to engage with the software industry to ensure secure software practices are integrated throughout the software development life cycle, with the goal of reducing vulnerabilities.


Secure by Design and Default International Support

In April 2023, the Australian Cyber Security Center (ACSC) published "Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and Default." This is the same document that has become the guiding foundation for the US cybersecurity strategy. Though the guidance has been led by CISA and the FBI in the US, the document represents a collaboration across many international cybersecurity organizations:

  • Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)
  • Canadian Centre for Cyber Security (CCCS)
  • United Kingdom’s National Cyber Security Centre (NCSC-UK)
  • Germany’s Federal Office for Information Security (BSI)
  • Netherlands’ National Cyber Security Centre (NCSC-NL)
  • New Zealand's National Cyber Security Centre (NCSC-NZ) and Computer Emergency Response Team New Zealand (CERT NZ)
The significance of this collaboration cannot be overstated as it represents a pivotal shift in cybersecurity responsibility towards software organizations.
The significance of this collaboration cannot be overstated as it represents a pivotal shift in cybersecurity responsibility towards software organizations. As previously discussed, the "Secure by Design and by Default" approach highlights the crucial integration of security into the design and default settings of technology products, effectively mitigating cyber threats. It emphasizes that the onus of security should not solely rest on end-users, compelling technology manufacturers to prioritize security as a core business objective. To achieve success, a global shift towards embracing Secure-by-Design and Secure-by-Default practices is imperative, fostering transparency, accountability, and collaboration between manufacturers and customers. This necessitates manufacturers being held accountable for product security outcomes and prioritizing Secure-by-Design and Secure-by-Default principles when making technology procurement decisions. Overall, this guidance shapes future cybersecurity policies by advocating for proactive security measures and shared responsibility within the technology ecosystem.

Are software supply chain regulations working? 

As we've seen from the analysis above, we're still in the very early stages of implementing true regulation that will hold people accountable for more secure software supply chains. 

But, especially in the US, the conversation and incremental changes since President Biden’s Executive Order 14028, Improving the Nation's Cybersecurity, are starting to become noticeable. As a direct requirement of the executive order, the OMB was instructed to develop policy for federal agencies working with government contractors. Following that directive, the OMB released M-22-18, highlighting the importance and potential requirement for SBOMs, especially as part of new self-attestation standards. To understand this further, we surveyed 217 Cybersecurity Directors in organizations with over £50 million/$50 million revenue in the UK and US respectively, and asked to what extent various policies were affecting their actions toward software supply chain management today.
of enterprises have adopted a software bill of materials (SBOM) since President Biden's introduction of Executive Order 14028, Improving the Nation's Cybersecurity.
A huge majority (76%) of enterprises have adopted SBOMs since EO 14028's introduction. Another 16% plan to implement SBOMs within the next year, showing increasing recognition of the correlation between open source hygiene and cybersecurity posture. Of the three-quarters of companies with SBOMs in place, only 4% adopted them over three years ago, demonstrating how much practices have evolved since EO 14028.
Our research also confirmed EO 14028 has influenced enterprises' software development practices in ways transcending SBOMs. Respondents are increasingly investing in technologies to improve software supply chain management, including vulnerability scanning (30%), software composition analysis (24%), supply chain automation (23%), threat intelligence (22%), and bug bounty programs (20%). The regulation has also fueled investment in skills and operations like employee training and awareness (26%), recruiting developer talent (21%), and processes to assess supply chain risks (24%).

We also examined attitudes to regulation in the UK and the US, uncovering that large enterprises generally see regulation as a good thing. In fact, 41% of security decision-makers see cyber regulation as the factor having the greatest positive impact on software security. Some, however, lament the volume of cybersecurity regulation, with 44% of business leaders believing there is too much government intervention on cybersecurity overall.
Fig 5-1@2x



Fig 5-2@2x



Fig 5-2_mobile@2x

Navigating the policy frontier: Global cybersecurity regulations

The global landscape of cybersecurity guidance and regulation in 2023 reflects a marked transformation compared to years past, driven by the ever-increasing urgency to address evolving cyber threats.

Initiatives and regulatory actions taken by key players such as the US, EU, UK, Australia, Canada, Japan, and New Zealand demonstrate a shared commitment to improve digital defenses and safeguard critical infrastructure.

Three key themes have emerged:

  • Heightened emphasis on security during software creation.
  • Holding software producers accountable for their products.
  • The need for robust processes to address cybersecurity incidents.

The global trend of cybersecurity regulations in 2023 demonstrates a growing collective endeavor to adapt to the ever-changing threat environment. Further international cooperation in this regard will be necessary to better prioritize secure software development practices. Regulations covered above as well as future related initiatives will play a pivotal role in shaping the future of cybersecurity policies and practices at scale worldwide.


NEXT UP: Chapter 6 ... in seconds.

AI in Software Development

Continue reading