S3C2 Summit 2023-06: Government Secure Supply Chain Summit

TL;DR

The paper summarizes the discussions and insights from the S3C2 Summit 2023, focusing on government and industry challenges in securing software supply chains amidst recent cyber threats and incidents.

Contribution

It provides a comprehensive overview of practical challenges and shared experiences from government agencies and industry practitioners on software supply chain security.

Findings

Common challenges in implementing SBOMs and provenance.

Shared concerns about dependency management and self-attestation.

Insights into the impact of large language models on security.

Abstract

Recent years have shown increased cyber attacks targeting less secure elements in the software supply chain and causing fatal damage to businesses and organizations. Past well-known examples of software supply chain attacks are the SolarWinds or log4j incidents that have affected thousands of customers and businesses. The US government and industry are equally interested in enhancing software supply chain security. On June 7, 2023, researchers from the NSF-supported Secure Software Supply Chain Center (S3C2) conducted a Secure Software Supply Chain Summit with a diverse set of 17 practitioners from 13 government agencies. The goal of the Summit was two-fold: (1) to share our observations from our previous two summits with industry, and (2) to enable sharing between individuals at the government agencies regarding practical experiences and challenges with software supply chain security. For each discussion topic, we presented our observations and take-aways from the industry summits to spur conversation. We specifically focused on the Executive Order 14028, software bill of materials (SBOMs), choosing new dependencies, provenance and self-attestation, and large language models. The open discussions enabled mutual sharing and shed light on common challenges that government agencies see as impacting government and industry practitioners when securing their software supply chain. In this paper, we provide a summary of the Summit.