It's important to understand that the software supply chain consists of two distinct phases, that must be secured:

1. Software Development Life Cycle (SDLC) supply chain activities, performed by a software vendor
2. Cyber Supply Chain Risk Management  (C-SCRM) activities, performed by software consumers

The activities performed during each phase are distinctly different and the evidence data produced during each phase is also very different.

Next Tuesday, 8/31, I will be presenting an overview of phase 2 activities, performed by software consumers, to NPCC TFIST, describing best practices to perform software verification for NERC CIP-010-3 requirements. 

The software supply chain is, perhaps, our weakest link, when it comes to securing our digital ecosystems across critical infrastructure. These steps taken by the Biden Administration, and the industry leaders that committed to improving protections against cyber threats, is the first step in a long journey - that we must take to stop ransomware and other harmful software from being installed. We cannot secure the software supply chain without the combination of SBOM's and commercially available C-SCRM solutions that process SBOM's.

REMINDER: The Linux Foundation is hosting an SBOM test-bed called DocFest on September 16th to ensure interoperable SBOM's are available across critical infrastructure - please encourage your software vendors to participate in this important industry cause.

Never trust software, always verify and report!™