search menu icon-carat-right cmu-wordmark

Evaluating and Mitigating Software Supply Chain Security Risks

May 2010 Technical Note
Robert J. Ellison, John B. Goodenough, Charles B. Weinstock, Carol Woody

In this 2010 report, the authors identify software supply chain security risks and specify evidence to gather to determine if these risks have been mitigated.


Software Engineering Institute

CMU/SEI Report Number


DOI (Digital Object Identifier):


The Department of Defense (DoD) is concerned that security vulnerabilities could be inserted into software that has been developed outside of the DoD’s supervision or control. This report presents an initial analysis of how to evaluate and mitigate the risk that such unauthorized insertions have been made. The analysis is structured in terms of actions that should be taken in each phase of the DoD acquisition life cycle.