Software Supply Chain Security
Compliance and Legal Requirements

This page lists up-to-date regulations in the United States (NIST, FDA, PCI), the European Union, and Australia.

All software vendors and security engineering teams need to be familiar with these requirements to sell software in these markets.

Biden Administration
Executive Order 14028
"To keep pace with today’s dynamic and increasingly sophisticated cyber threat environment, the Federal Government must take action to rapidly improve the security and integrity of the software supply chain..."
Read the order
National Cybersecurity Strategy Implementation Plan
"Achieving the President’s cybersecurity vision requires coordinated action across the United States Government and American society. The National Cybersecurity Strategy Implementation Plan is a roadmap for this effort."
Read the full plan
Requirements are cascading down to government organizations, standards bodies, and commercial compliance regimes
NIST
NIST SP 800-161: Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations
"This publication provides guidance to organizations on identifying, assessing, and mitigating cybersecurity risks throughout the supply chain at all levels of their organizations. The publication integrates cybersecurity supply chain risk management (C-SCRM) into risk management activities"
Read the document
Federal Drug Administration
FDA-2021-D-1158: Cybersecurity in Medical Devices
"4. a. Software Bill of Materials
Because vulnerability management is a critical part of a device’s security risk management processes, an SBOM or an equivalent capability should be maintained as part of the device’s configuration management, be regularly updated to reflect any changes to the software"
Read the document
Federal Drug Administration
FDA-2023-D-1030: Cybersecurity in Medical Devices: Refuse to Accept Policy for Cyber Devices and Related Systems
"A person who submits an application [...] meets the definition of a cyber device under this section shall include such information as [FDA] may require to ensure that such cyber device meets the cybersecurity requirements under subsection (b).
(3) provide to the Secretary a software bill of materials, including commercial, open-source, and off-the-shelf software components"
Read the document
Office of Management and Budget
M-22-18: Enhancing the Security of the Software Supply Chain through Secure Software Development Practices
"2.b SBOMs must be generated in one of the data formats defined in the National Telecommunications and Information Administration (NTIA) report “The Minimum Elements for a Software Bill of Materials (SBOM)”
Read the memorandum
PCI DSS v4
Requirement 6: Develop and Maintain Secure Systems and Software
"6.3.2. An inventory of bespoke and custom software, and third-party software components incorporated into bespoke and custom software is maintained to facilitate vulnerability and patch management."
Read the document
European Union
EU Cybersecurity Strategy
"The strategy aims to build collective capabilities to respond to major cyberattacks. It also outlines plans to work with partners around the world to ensure international security and stability in cyberspace."
Read the strategy
Requirements are cascading down to government organizations and proposed legislation
DORA
Regulation 2022/2554: Digital Operational Resilience for the Financial Sector
"Article 13 1. Financial entities shall have in place capabilities and staff to gather information on vulnerabilities and cyber threats, ICT-related incidents, in particular cyber-attacks, and analyse the impact they are likely to have on their digital operational resilience."
Read the act
Cyber Resilience Act
Regulation 2022/0272: Horizontal Cybersecurity Requirements for Products with Digital Elements
"(77) In order to facilitate vulnerability analysis, manufacturers should identify and document components contained in the products with digital elements, including by drawing up an SBOM"
Read the act
Australia
Australian Cyber Security Centre
"[The goal is to] provide practical guidance on how an organisation can protect their systems and data from cyber threats. These cyber security guidelines cover governance, physical security, personnel security, and information and communications technology security matters."
Read the strategy
Requirements are cascading down to organizations through guidelines and controls
Information Security Manual
ISM-1730: Software bill of materials
"A software bill of materials is produced and made available to consumers of software."
Read the manual

Security Vulnerabilities
Found, Fixed & Merged,
Continuously

Less investigation toil.

More action on real issues.

Happy engineers.

Request Demo
Close Video