Software Industry

Secure Software Supply Chain Summits

Annually, three Secure Software Supply Chain Summits are conducted. The goal of the Summits is to enable sharing between industry practitioners having practical experiences and challenges with software supply chain security; to help form new collaborations between industrial organizations and researchers; and to identify research opportunities.

Summit participants are recruited from companies and US government agencies, intentionally in diverse domains and having various company maturity levels and sizes. Except for the organization that hosts the Summit, each company or agency could only have one participant. Attendance is limited to one per company or government agency to keep the event small enough that honest communication between participants can flow. The Summits are conducted under the Chatham House Rules, which state that all participants are free to use the information discussed, but neither the identity nor the affiliation of the speaker(s), nor any other participant may be revealed. As such, none of the participating companies or agencies are identified in this paper.

Summits start with a keynote presentation. Prior to the Summit, participants complete a survey to vote on the topics of the six panels that comprise the rest of the day. As such, the panel topics represent the challenges faced by practitioners. Based upon personal preferences expressed in the survey, four participants were selected to begin each 45-minute panel discussion with a 3-5 minute statement. The remaining minutes from each panel were spent openly discussing the topic.

Summit Reports

• Government, June 2023
• East Coast, February 2023
• Silicon Valley, September 2022

Community Day

We invite the community to join us for annual Software Supply Chain Community Days where industry, government, and academia can network and discuss challenges, practical solutions, and the latest software supply chain security research.

• 2023 Community Day

Response to US Government RFI (2023)

In 2023, the US Government issued a Request for Information (RFI) on Open-Source Software Security, seeking to understand long-term areas of focus and prioritization. You can read the details of our response in our public comment on regulations.gov or download the PDF.