Recent years have shown increased cyber attacks targeting less secure
elements in the software supply chain and causing fatal damage to businesses
and organizations. Past well-known examples of software supply chain attacks
are the SolarWinds or log4j incidents that have affected thousands of customers
and businesses. The US government and industry are equally interested in
enhancing software supply chain security. On June 7, 2023, researchers from the
NSF-supported Secure Software Supply Chain Center (S3C2) conducted a Secure
Software Supply Chain Summit with a diverse set of 17 practitioners from 13
government agencies. The goal of the Summit was two-fold: (1) to share our
observations from our previous two summits with industry, and (2) to enable
sharing between individuals at the government agencies regarding practical
experiences and challenges with software supply chain security. For each
discussion topic, we presented our observations and take-aways from the
industry summits to spur conversation. We specifically focused on the Executive
Order 14028, software bill of materials (SBOMs), choosing new dependencies,
provenance and self-attestation, and large language models. The open
discussions enabled mutual sharing and shed light on common challenges that
government agencies see as impacting government and industry practitioners when
securing their software supply chain. In this paper, we provide a summary of
the Summit.Comment: arXiv admin note: text overlap with arXiv:2307.16557,
arXiv:2307.1564