Just as with food and pharmaceuticals, software can be corrupted in ways that put users, organizations, and missions at risk. Thus each participant in the supply chain requires an appreciation of controls and processes that should be in the potential paths software can take before it is acquired and put into use. How do we ensure that the right levels of due diligence are being applied to help assure the confidentiality, integrity, and availability of the sensitive information entrusted to our third party vendors in our supply chain? Do we need an approach that uses a “do once, use many times” framework to save cost, time, and staff required to conduct redundant agency security assessments? What would such a standardized software supply chain approach consist of for assessment, authorization, risk management, and continuous monitoring for software products and services?
