The increasing frequency and sophistication of software supply chain attacks pose severe risks to critical infrastructure sectors, threatening national security, economic stability, and public safety. Despite growing awareness, existing security practices remain fragmented and insufficient, with most frameworks narrowly focused on isolated life cycle stages or lacking alignment with the specific needs of critical infrastructure (CI) sectors. In this paper, we conducted a multivocal literature review across international frameworks, Australian regulatory sources, and academic studies to identify and analyze security practices across the software supply chain, especially specific CI sector. Our analysis found that few existing frameworks are explicitly tailored to CI domains. We systematically leveraged identified software supply chain security frameworks, using a "4W+1H" analytical approach, we synthesized ten core categories (what) of software supply chain security practices, mapped them across life-cycle phases (when), stakeholder roles (who), and implementation levels (how), and examined their coverage across existing frameworks (where). Building on these insights, the paper culminates in structured, multi-layered checklist of 80 questions designed to relevant stakeholders evaluate and enhance their software supply chain security. Our findings reveal gaps between framework guidance and sector-specific needs, highlight the need for integrated, context-aware approaches to safeguard critical infrastructure from evolving software supply chain risks.

翻译：软件供应链攻击日益频繁且手段日趋复杂，对关键基础设施领域构成严重威胁，危及国家安全、经济稳定与公共安全。尽管认知度逐步提升，现有安全实践仍呈现碎片化且不足的态势，多数框架或局限于孤立生命周期阶段，或未能契合关键基础设施（CI）领域的特定需求。本文通过跨国际框架、澳大利亚监管文献及学术研究的多源文献综述，识别并分析了软件供应链（尤其是关键基础设施领域）的安全实践。分析表明，现有框架中明确针对CI领域定制的方案极少。我们系统整合已识别的软件供应链安全框架，采用“4W+1H”分析方法，凝练出软件供应链安全实践的十个核心类别（内容），并将其映射至生命周期阶段（时间）、利益相关方角色（主体）及实施层级（方法），同时评估了现有框架的覆盖范围（场域）。基于这些发现，本文最终构建了一个包含80个问题的结构化多层清单，旨在帮助相关利益相关方评估并提升其软件供应链安全水平。研究结果揭示了框架指导与领域特定需求间的差距，强调需要采用集成化、情境感知的方法来保护关键基础设施，以应对不断演变的软件供应链风险。