Skip to content

Chapter 26: Regulatory and Policy Landscape

Chapter 26 provides a comprehensive overview of the regulatory frameworks governing software supply chain security across major jurisdictions. The chapter begins with U.S. Executive Order 14028, issued in response to the SolarWinds attack, which mandates secure software development attestations, Software Bills of Materials (SBOMs), and vulnerability disclosure programs for federal contractors. The accompanying OMB memoranda establish binding timelines and requirements that extend security obligations through supply chains.

The European Union's Cyber Resilience Act (CRA) takes a fundamentally different approach, treating insecure software as unsafe products that cannot legally be sold. The CRA applies to virtually all products with digital elements in the EU market, requiring conformity assessment, CE marking, and 24-hour vulnerability reporting. The regulation carefully distinguishes between commercial software manufacturers (who bear full obligations) and non-commercial open source developers (who are excluded), while introducing the novel "open source steward" concept for foundations.

NIST frameworks provide the technical foundation for implementation, including the Cybersecurity Framework 2.0 with expanded supply chain governance, SP 800-161 for supply chain risk management, and SP 800-218 (SSDF) which underpins federal attestation requirements. Sector-specific regulations add additional layers for financial services (OCC guidance, DORA), healthcare (FDA medical device requirements), critical infrastructure (NERC CIP, TSA directives), and defense (CMMC 2.0).

The chapter concludes by examining international coordination challenges, noting that while harmonization efforts continue through bodies like the EU-US Trade and Technology Council and international standards organizations, organizations must currently navigate divergent requirements across jurisdictions. The recommended approach is to implement practices meeting the most stringent applicable requirements while building flexibility for evolving regulatory landscapes.