S3C2 Summit 2025-07: Government Secure Supply Chain Summit
Reviewed by Pith2026-06-29 11:10 UTCgrok-4.3pith:EH2YRE55open to challenge →
The pith
A July 2025 summit let 12 participants from six US government agencies share experiences on software supply chain security topics.
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
The summit enabled sharing of practical experiences and challenges with software supply chain security among participants from different government agencies and helped inform future research directions.
What carries the argument
Structured discussion sessions on six predefined topics, each opened with a list of questions and overviews drawn from prior industry summits.
If this is right
- Research directions can be adjusted to address challenges government participants actually face in areas such as SBOM adoption and malicious commits.
- New collaborations may form between the participating agencies and the organizing researchers.
- Government agencies may adopt or refine practices around compliance and build infrastructure based on shared experiences.
- Insights on culture and LLM-related risks can guide internal policy updates within the represented agencies.
Where Pith is reading between the lines
- The same format of mixing prepared questions with prior-summit summaries could be applied to other domains such as critical infrastructure security.
- Follow-up work could test whether the six topics remain the highest priorities when more agencies are included.
- The discussions may reveal concrete gaps between current government requirements and available tools for supply-chain attestation.
Load-bearing premise
The selected participants and chosen topics give a representative view of the challenges facing US government agencies.
What would settle it
A later summit or survey with a broader or different group of agencies that surfaces substantially different challenges or priorities would show the original set of discussions was not representative.
read the original abstract
Software supply chains, while providing immense economic and software development value, are only as strong as their weakest link. Over the past several years, there has been an exponential increase in cyberattacks specifically targeting vulnerable links in critical software supply chains. The attacks disrupt day-to-day functioning and threaten the security of nearly everyone on the internet, from billion-dollar companies and government agencies to hobbyist open-source developers. The evolving threat of software supply chain attacks has garnered interest from both the software industry and governments worldwide in improving software supply chain security. On Thursday, July 9th, 2025, 3 researchers from the NSF-backed Secure Software Supply Chain Center (S3C2) conducted a Secure Software Supply Chain Summit with a diverse set of 12 participants from 6 US government agencies. The goals of the Summit were: (1) to enable sharing between participants from different industries regarding practical experiences and challenges with software supply chain security; (2) to help form new collaborations; and (3) to learn about the challenges facing participants to inform our future research directions. The summit consisted of discussions of six topics relevant to the government agencies represented, including software bill of materials (SBOMs); compliance; malicious commits; build infrastructure; culture; and large language models (LLMs) and security. For each topic of discussion, we presented participants with a list of questions to spark conversation and an overview of the discussions of two industry summit held in the past year. In this report, we provide a summary of the summit. The initial discussion questions for each topic are provided in the appendi
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The manuscript reports on a one-day Secure Software Supply Chain Summit held on July 9, 2025, organized by three researchers from the NSF-backed S3C2 center. It involved 12 participants from six US government agencies and covered six discussion topics (SBOMs, compliance, malicious commits, build infrastructure, culture, and LLMs and security). The stated goals were to share practical experiences, form collaborations, and inform future research directions; the report summarizes the discussions and includes initial discussion questions in an appendix.
Significance. As a factual descriptive record of agency perspectives on software supply chain security, the report could help surface practical challenges and research priorities for the S3C2 center and similar efforts. Its contribution is limited to event documentation rather than new technical results, quantitative findings, or generalizable models.
minor comments (2)
- [Abstract] Abstract: the text is truncated mid-word at 'appendi'; complete to 'appendix' and confirm the appendix is present in the full manuscript.
- The manuscript should explicitly state whether the provided summaries reflect only the prepared questions or also capture participant responses and outcomes, to clarify the scope of the report.
Simulated Author's Rebuttal
We thank the referee for the review and the recommendation of minor revision. The manuscript is intended as a factual descriptive record of the summit discussions and agency perspectives.
Circularity Check
No significant circularity; purely descriptive report
full rationale
The paper is a factual summary of a one-day summit event. It contains no equations, derivations, fitted parameters, predictions, or load-bearing self-citations. All claims reduce directly to the authors' direct observation of the event itself (attendance, topics discussed, goals stated) without any intermediate reduction or renaming that would constitute circularity. The representativeness assumption is not required for the stated claims.
Axiom & Free-Parameter Ledger
Reference graph
Works this paper leans on
-
[1]
Securities and Exchange Commission v
2023. Securities and Exchange Commission v. SolarWinds Corp. Docket No. 1:23-cv-09518-PAE, S.D.N.Y. (filed Oct. 30, 2023; dismissed Nov. 20, 2025). https://www.courtlistener.com/docket/67927585/securities-and-exchange- commission-v-solarwinds-corp/
-
[2]
Cybersecurity and Infrastructure Security Agency. 2025. 2025 Minimum Ele- ments for a Software Bill of Materials (SBOM). https://www.cisa.gov/resources- tools/resources/2025-minimum-elements-software-bill-materials-sbom
2025
-
[3]
Department of Homeland Security Cybersecurity and Infrastructure Se- curity Agency (CISA). 2024. Secure Software Development Attestation Form. https://www.cisa.gov/sites/default/files/2024-04/Self_Attestation_ Common_Form_FINAL_508c.pdf
2024
-
[4]
Trevor Dunlap, Yasemin Acar, Michel Cucker, William Enck, Alexandros Kaprav- elos, Christian Kastner, and Laurie Williams. February 2023. S3C2 Summit 2023-02: Industry Secure Supply Chain Summit.http://arxiv.org/abs/2307.16557 (February 2023)
- [5]
-
[6]
European Union. 2024. Horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) No 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act)
2024
-
[7]
Sivana Hamer, Jacob Bowen, Md Nazmul Haque, Robert Hines, Chris Madden, and Laurie Williams. 2026. Closing the Chain: How to reduce your risk of being SolarWinds, Log4j, or XZ Utils. InInternational Conference on Software Engineering (ICSE)
2026
-
[8]
May 12, 2021
US White House. May 12, 2021. Executive Order 14028 on Improving the Nation’s Cybersecurity.https://www.whitehouse.gov/briefing-room/presidential- actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/(May 12, 2021)
2021
-
[9]
Elizabeth Lin, Jonah Ghebremichael, William Enck, Yasemin Acar, Michel Cucker, Alexandros Kapravelos, Christian Kastner, and Laurie Williams. March 2025. S3C2 Summit 2025-03: Industry Secure Supply Chain Summit. https://arxiv.org/pdf/2510.24920(March 2025)
-
[10]
Courtney Miller, Yasemin Acar, Michel Cucker, William Enck, Christian Kast- ner, Alexandros Kapravelos, Dominik Wermke, and Laurie Williams. August
-
[11]
https://arxiv.org/abs/2504.00924(August 2024)
S3C2 Summit 2024-08: Government Secure Supply Chain Summit. https://arxiv.org/abs/2504.00924(August 2024)
-
[12]
MITRE. 2025. Introduction to MITRE Shield. https://shield.mitre.org/resources/ downloads/Introduction_to_MITRE_Shield.pdf
2025
-
[13]
MITRE. 2025. MITRE ATLAS. https://atlas.mitre.org/
2025
-
[14]
MITRE. 2025. MITRE ATT&CK. https://attack.mitre.org/
2025
-
[15]
National Institute of Standards and Technology. 2025. National Vulnerability Database. https://nvd.nist.gov/
2025
-
[16]
NIST. 2022. NIST Special Publication 800-218 Secure Software Development Framework (SSDF).https:// nvlpubs.nist.gov/ nistpubs/ SpecialPublications/ NIST.SP. 800-218.pdf(2022)
2022
-
[17]
August 22, 2025
NTIA. August 22, 2025. The Minimal Elements of a Software Bill of Materi- als.https:// cisa.gov\/sites\/default\/files\/2025-08\/2025_CISA_SBOM_Minimum_ Elements.pdf(August 22, 2025)
2025
-
[18]
Imranur Rahan, Yasemin Acar, Michel Cucker, William Enck, Christian Kast- ner, Alexandros Kapravelos, Dominik Wermke, and Laurie Williams. Septem- ber 2024. S3C2 Summit 2024-09: Industry Secure Supply Chain Summit. https://arxiv.org/abs/2505.10538(September 2024)
-
[19]
Eric Raymond. 1999. The cathedral and the bazaar.Knowledge, Technology & Policy12, 3 (1999), 23–49
1999
-
[20]
The White House. 2025. Sustaining Select Efforts To Strengthen The Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144. https://www.whitehouse.gov/presidential-actions/2025/06/sustaining-select- efforts-to-strengthen-the-nations-cybersecurity-and-amending-executive- order-13694-and-executive-order-14144/
2025
-
[21]
Santiago Torres-Arias, Hammad Afzali, Trishank Karthik Kuppusamy, Reza Curtmola, and Justin Cappos. 2019. in-toto: Providing farm-to-table guarantees for bits and bytes. In28th USENIX Security Symposium (USENIX Security 19). 8 S3C2 Summit 2023-06: Government Secure Supply Chain Summit 1393–1410
2019
- [22]
-
[23]
Greg Tystahl, Yasemin Acar, Michel Cucker, William Enck, Christian Kast- ner, Alexandros Kapravelos, Dominik Wermke, and Laurie Williams. March
-
[24]
https://arxiv.org/abs/2405.08762(March 2024)
S3C2 Summit 2024-03: Industry Secure Supply Chain Summit. https://arxiv.org/abs/2405.08762(March 2024)
-
[25]
White House. 2025. Executive Order 14144 on Strengthening and Promoting Innovation in the Nation’s Cybersecurity. 14144 (January 16 2025). https: //public-inspection.federalregister.gov/2025-01470.pdf Accessed: 2025-04-28
2025
-
[26]
Shalanda D. Young. 2022. M-22-18 Enhancing the Security of the Software Supply Chain through Secure Software Development Practices. https://www.whitehouse.gov/wp-content/uploads/2022/09/M-22-18.pdf(2022)
2022
-
[27]
Nusrat Zahan, Yasemin Acar, Michel Cucker, William Enck, Alexandros Kaprav- elos, Christian Kastner, and Laurie Williams. November 2023. S3C2 Summit 2023-11: Industry Secure Supply Chain Summit.https://arxiv.org/abs/2408.16529 (November 2023). A INITIAL DISCUSSION QUESTIONS (1) SBOM, VEX, and compliance.From your perspective, how widespread is the practic...
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.