As our reliance on technology has increased, the focus on supply chains has evolved from the movement of physical goods to include the security of software used in complex IT systems. High profile attacks, like that on the SolarWinds supply chain, highlighted the necessity of ensuring the security of each piece of a technology solution.
Today the risks introduced by inadequate security are growing exponentially due to the introduction of artificial intelligence (AI) tools. Bad actors can use AI to move faster across the software supply chain. The wide variety of tools and platforms used by developers have created a shadow IT challenge that is hard to secure. The pressure to push applications into production faster also complicates the ability to fully vet and secure entire software supply chains.
Supply Chains as National Security
The criticality of securing software supply chains was underlined by a strategy document released in late 2025 that instructs intelligence agencies to “monitor key supply chains and technological advances around the world” in order to ensure vulnerabilities and threats can be understood and mitigated.
Intelligence agencies are uniquely positioned to support these efforts as they not only have the data on foreign threats but also experience in vetting technology for their own use. The highly mature risk-management processes they have in place can benefit agencies across government in the escalating threat environment.
Beyond executive memos, legislative action is supporting the expansion of supply chain security. The Federal Acquisition Security Council (FASC) Improvement Act of 2026 passed the House Oversight and Government Reform Committee in a 40-1 vote. This bill would strengthen the powers of the FASC by moving it into the Executive Office of the President and expanding its membership and authorities. It would broaden the council’s focus to acquisition security, require proactive monitoring of certain covered products, and establish a program office to support its work.
Use of Software Bill of Materials Evolve
Software Bills of Materials (SBOMs) were introduced as a standard practice to ensure that software supply chain security is understood and monitored. An SBOM is essentially a software ingredient list that enables agencies and organizations to see exactly what’s inside the applications they use. This visibility is crucial for identifying known vulnerabilities, managing third-party and open-source dependencies, and making informed risk decisions.
The Office of Management and Budget (OMB) recently altered the approach to SBOMs, rescinding a 2022 order that mandated a single, standardized self-attestation form for federal agencies to obtain cybersecurity assurances from software vendors. The OMB said the mandate “diverted agencies from developing tailored assurance requirements for software.”
Under the new guidance, agencies must still maintain a complete inventory of software and hardware and develop software and hardware assurance policies and processes that match their risk determinations and mission needs. They can use existing tools and templates and can also create other contractual terms to meet their mission needs.
This guidance moves SBOMs and attestations from “must” to “may.” While this takes away a compliance item, it does not remove the responsibility for ensuring security. CIOs and CISOs now hold responsibility to understand their risk and to assess how to manage that risk better.
To follow trends and tactics in software supply chain security, check out these resources:
Gartner Supply Chain Symposium/Xpo 2026 (May 4, 2026; Lake Buena Vista, FL) – Discover insights on how CSCOs and supply chain leaders should predict disruptions, drive innovation and build resilient, tech-enabled supply chains.
Xponential 2026 (May 11-14, 2026; Detroit, MI) – This event explores the entire supply chain, from sensors and components to platforms, software, and services. This year's conference puts resilience and real-world implementation at the center, bringing together industry, government, and academia to turn innovation into capability. Hear from leaders shaping the future of autonomy and explore how it's being applied across every sector, from defense and infrastructure to AI integration and real-world deployment.
Achieving CMMC Compliance and Mitigating Supply Chain Risk Webinar (May 12; online) – Stepping into the Confidential Unclassified Information (CUI) and Cybersecurity Maturity Model Certification (CMMC) worlds can be overwhelming, to say the least. This will discuss the beginning stages of achieving CMMC and mitigating risk to the defense supply chain.
DLA Supply Chain Alliance Symposium & Exhibition (June 2-3, 2026; Columbus, OH) – This event is hosted by the National Defense Industrial Association (NDIA) in partnership with the Defense Logistics Agency and will offer new concepts, insight on Government policy and processing, and will allow for networking, opportunities to share issues, and collective problem solving for a long-term, sustainable supply chain.
The Future of Open Source Security: A Trust-First Approach to the Federal Supply Chain (white paper) – This whitepaper offers strategic insights for federal leaders looking to navigate the complexities of securing open source software. From dynamic SBOMs and modernized procurement practices to AI governance and continuous assurance, this guide highlights actionable steps to build resilient, trust-based software supply chains.
Going Beyond the SBOM (white paper) – Today’s organizations rely heavily on third-party software to power critical business functions, but traditional methods of assessing vendor risk often fall short. The software bill of materials (SBOM) provides visibility, yet it only scratches the surface of the threats hidden within complex commercial applications. By going beyond the SBOM, enterprises gain actionable insights to strengthen trust and resilience across their software supply chains.
Modernizing RMF for Continuous, Evidence-Based Security (white paper) – The fastest way to move RMF away from compliance and into the mission space is to stop treating authorization as a milestone and start treating it as a continuous engineering process.