Book 3: Governing the Software Supply Chain¶

Technical controls alone cannot secure software supply chains. Sustainable security requires organizational commitment, regulatory compliance, economic incentives, and industry-wide collaboration. This book addresses the human, policy, and strategic dimensions of supply chain security that determine long-term success.

We begin with the people side of security—building training programs, establishing security champion networks, and creating career paths. Special attention is given to open source maintainers, who occupy a unique position in the ecosystem. Vendor and third-party risk management extends supply chain thinking to commercial software and services.

The regulatory landscape is evolving rapidly, and we provide detailed coverage of U.S. Executive Order 14028, the EU Cyber Resilience Act, and compliance frameworks. Beyond individual organizations, we examine industry initiatives driving collective improvement. Finally, we look toward the future—geopolitical dimensions, lessons from other industries, and emerging technologies for defense.