Recent years have shown increased cyber attacks targeting less secure elements in the software supply chain and causing fatal damage to businesses and organizations. Past well-known examples of software supply chain attacks are the SolarWinds or log4j incidents that have affected thousands of customers and businesses. The US government and industry are equally interested in enhancing software supply chain security. On June 7, 2023, researchers from the NSF-supported Secure Software Supply Chain Center (S3C2) conducted a Secure Software Supply Chain Summit with a diverse set of 17 practitioners from 13 government agencies. The goal of the Summit was two-fold: (1) to share our observations from our previous two summits with industry, and (2) to enable sharing between individuals at the government agencies regarding practical experiences and challenges with software supply chain security. For each discussion topic, we presented our observations and take-aways from the industry summits to spur conversation. We specifically focused on the Executive Order 14028, software bill of materials (SBOMs), choosing new dependencies, provenance and self-attestation, and large language models. The open discussions enabled mutual sharing and shed light on common challenges that government agencies see as impacting government and industry practitioners when securing their software supply chain. In this paper, we provide a summary of the Summit.

翻译：近年来，针对软件供应链中较薄弱环节的网络攻击不断增加，对企业和组织造成致命损害。过往著名的软件供应链攻击案例包括SolarWinds和log4j事件，它们影响了数千家客户与企业。美国政府和工业界均致力于提升软件供应链安全性。2023年6月7日，美国国家科学基金会（NSF）资助的安全软件供应链中心（S3C2）的研究人员举办了一场安全软件供应链峰会，邀请了来自13个政府机构的17位多元化从业者。本次峰会的目标有二：（1）分享我们从先前两次工业界峰会的观察所得；（2）促进政府机构内部人员交流软件供应链安全方面的实践经验与挑战。针对每个讨论主题，我们首先介绍工业界峰会的观察结论与要点，以激发讨论。我们重点关注第14028号行政令、软件物料清单（SBOM）、新依赖项选择、来源与自我证明，以及大语言模型。开放式讨论促进了相互分享，并揭示了政府机构在保障软件供应链安全时共同面临的挑战——这些挑战同时影响着政府与工业界的从业者。本文对本次峰会进行了总结。