The government agency charged with leading a review of guidance and standards for federal agencies to employ to strengthen the security of their software supply chains will initially focus on existing guidance and then identify gaps where new practices are needed, an official for the National Institute of Standards and Technology (NIST) said on Tuesday.

“So, first and foremost we want to identify and cite work that exists rather than create new work,” Matthew Scholl, chief of the Computer Security Division of NIST’s Information Technology Laboratory, told a joint hearing of the House Science Committee’s panels that oversee investigations and oversight and research and technology. “After we have done that, we will work with both our industry and our agency partners to see if there are any critical gap areas in that existing work and then that will form the nucleus for any new created items that we’ll have to make.”

Scholl was responding to a question from Rep. Jay Obernolte (R-Calif.), the ranking member on the investigations and oversight subcommittee, who cited a December 2020 Government Accountability Office report that found none of 23 federal civilian agencies “had full implemented selected foundational practices for managing information and communication technology (ICT) supply chain risks, known as supply chain risk management.”

NIST is directed in a new presidential executive order with rapidly assessing existing software supply chain security standards, tools and best practices, and if necessary, developing new standards and tools. The order was directed in mid-May and NIST has 30 days to solicit input on these standards.

Within six months, NIST is required to publish preliminary guidelines based on the feedback it receives in the first month of its tasking to assess existing and potentially new standards. Following issuance of the preliminary guidance, NIST has 90 more days to push out “guidance identifying practices that enhance the security of the software supply chain,” the May 17 executive order says.

Obernolte also asked if the deadlines for NIST are “realistic” and whether the agency has the resources to carry out the directive.

Scholl said that so far, NIST is “on track and working toward achieving all of those objectives,” adding that the agency expects to meet the timelines. He also said that “and even though the timelines for initial deliverables may be short, NIST is also committed to applying a sense of persistence to this activity over a much longer term. So, the initial deliverable may be short but we also plan on staying persistent on these issues over a much longer period of time as well.”

Vijay D’Souza, director of Information Technology and Cybersecurity at GAO, told the panel that this month GAO received updates from six of the 23 agencies reviewed for the December report on the actions they have taken to address recommendations.

Still, he told the committee, none of the agencies have completed implementation of the recommendations to meet ICT supply chain security standards.

“Until they do so, agencies will be limited in their ability to effectively address supply chain risks across their organizations,” D’Souza said in his prepared remarks.

The Science committee hosted the hearing to examine software supply chain security.