The "4W+1H" of Software Supply Chain Security Checklist for Critical Infrastructure

TL;DR

This paper develops a comprehensive checklist of 80 questions to evaluate and improve software supply chain security in critical infrastructure, addressing gaps in existing frameworks and emphasizing a context-aware approach.

Contribution

It introduces a structured

Findings

Few frameworks are tailored to critical infrastructure sectors.

Identified gaps between existing guidance and sector-specific needs.

Proposed a multi-layered checklist for practical security assessment.

Abstract

The increasing frequency and sophistication of software supply chain attacks pose severe risks to critical infrastructure sectors, threatening national security, economic stability, and public safety. Despite growing awareness, existing security practices remain fragmented and insufficient, with most frameworks narrowly focused on isolated life cycle stages or lacking alignment with the specific needs of critical infrastructure (CI) sectors. In this paper, we conducted a multivocal literature review across international frameworks, Australian regulatory sources, and academic studies to identify and analyze security practices across the software supply chain, especially specific CI sector. Our analysis found that few existing frameworks are explicitly tailored to CI domains. We systematically leveraged identified software supply chain security frameworks, using a "4W+1H" analytical approach, we synthesized ten core categories (what) of software supply chain security practices, mapped them across life-cycle phases (when), stakeholder roles (who), and implementation levels (how), and examined their coverage across existing frameworks (where). Building on these insights, the paper culminates in structured, multi-layered checklist of 80 questions designed to relevant stakeholders evaluate and enhance their software supply chain security. Our findings reveal gaps between framework guidance and sector-specific needs, highlight the need for integrated, context-aware approaches to safeguard critical infrastructure from evolving software supply chain risks.