The nation's reliance on computer software to run and manage critical business services has increased dramatically over many decades and only continues to grow. But with this reliance comes risk. The increasing rate of and impact from the exploitation of software vulnerabilities has caused billions of dollars of damage and losses to thousands of companies across the world. And the malicious compromise — or even accidental failure — of software threatens firms across all industries throughout the United States. Moreover, it has become increasingly true that modern software applications are built on a foundation of third-party and open-source software components, developed by thousands of professional and volunteer contributors across the world. This complexity and decentralized nature of the modern software ecosystem mean that firms are more separated from the oversight of the software that runs their businesses and increasingly exposed to risks because of this expanding software supply chain. Although many federal government agencies are vocal in addressing this issue in their own way, the U.S. Securities and Exchange Commission (SEC) has been relatively quiet. This Perspective presents a set of proposed disclosure rules that the SEC could implement to help address software supply chain security.
Romanosky, Sasha and Jonathan W. Welburn, Disclosure of Software Supply Chain Risks. Santa Monica, CA: RAND Corporation, 2022. https://www.rand.org/pubs/perspectives/PEA2072-1.html.
Romanosky, Sasha and Jonathan W. Welburn, Disclosure of Software Supply Chain Risks, RAND Corporation, PE-A2072-1, May 2022. As of January 11, 2023: https://www.rand.org/pubs/perspectives/PEA2072-1.html