U.S. flag   An official website of the United States government

Cyber Supply Chain Risk Management C-SCRM

Software and Supply Chain Assurance Forum


Forums are held 2-3 times / year and are FREE and OPEN TO THE PUBLIC; registration is required.

Please join us on Wednesday, April 7th at 11 am eastern time for a 2 hour SSCA Virtual** Event.  

•             WHEN:  April 7th from 11am to 1pm, Eastern

•             REGISTER UPDATE:  Due to tremendous response,  we have closed registration early. We will be hosting additional SSCA Virtual Forums in the coming months.

•             AGENDA:

SSCA Co-Chair will provide opening remarks , review Chatham House Rules

Panel One:  "How the Other Half SCRMs: Helping Small and Medium Businesses Understand Supply Chain Risk"
   This panel will focus on the unique experiences and challenges of small, medium, and rural communications and IT businesses in the context of supply chain risk management.   

Moderator: Megan Doscher, Senior Policy Advisor, National Telecommunications and Information Administration
-  Robert Mayer, Sr. Vice President, Cybersecurity & Innovation US Telecom - The Broadband Association
-  Tamber Ray, Regulatory Counsel, NTCA - The Rural Broadband Association
-   Dr. Gamze Seckin, Head of IP & Standards, XCOM Labs

Brief Intermission

Panel Two: "Achieving a Trustworthy Software Cyber Engine for our Economy"
     Software and its supply chain have become prime targets of adversaries looking to disrupt or steal. With more and more of our society leveraging software-enabled technologies and managing distributed capabilities across geographically separated locations, the possible impacts of insecure software are too big to ignore. Understanding what trustworthy software systems look like and how others can gain assurance about them is motivating international standards, and best practices, frameworks, and government regulations that seek to address these problems. This panel will discuss these motivating forces, the efforts underway, and the challenges remaining.

Moderated by SSCA Co-Chair
     -  Bob Martin, Sr. Software & Supply Chain Assurance Principal Engineer, MITRE
     -  Aaron Cooper, Vice President, Global Policy, BSA/The Software Alliance
     -  Derek Weeks, Vice President, Sonatype


NIST is closely monitoring guidance from Federal, State, and local health authorities on the outbreak of COVID-19. To protect the health and safety of NIST employees and the American public they continue to serve, NIST has decided to postpone all in-person SSCA Forum meetings for 2021 – however, we will be holding virtual meetings. For more information on COVID-19, please visit: cdc.gov/covid19.


Cyber risk has become a topic of core strategic concern for business and government leaders worldwide and is an essential component of an enterprise risk management strategy. The Software and Supply Chain Assurance Forum (SSCA) provides a venue for government, industry, and academic participants from around the world to share their knowledge and expertise regarding software and supply chain risks, effective practices and mitigation strategies, tools and technologies, and any gaps related to the people, processes, or technologies involved.

The effort is co-led by the National Institute of Standards and Technology (NIST), the Department of Homeland Security (DHS), the Department of Defense (DoD), and the General Services Administration (GSA). Participants represent a diverse group of career professionals including government officials, chief information security officers, those in academia with cybersecurity and supply chain specialties, system administrators, engineers, consultants, vendors, software developers, managers, analysts, specialists in IT and cybersecurity, and many more fields. 

SSCA forums are held 2-3 times/year and are free and open to all interested parties

While the general intent is to share information, the SSCA Forum also offers government and private sector participants, including international participants, an opportunity to openly collaborate by presenting and receiving feedback on current and potential future work. Most events are two to three days long and contain a mixture of discussion and presentation; interaction is always strongly encouraged. To encourage open interaction, SSCA Forum meetings operate under the Chatham House Rule, meaning “participants are free to use the information received, but neither the identity nor the affiliation of the speaker(s), nor that of any other participant, may be revealed,” though many speakers allow NIST to post their presentations on this website.

To receive information about upcoming meetings and related publications and activities, please sign up for the sw.assurance Google Group - operated by NIST - here: https://groups.google.com/a/list.nist.gov/forum/#!forum/sw.assurance


The forum, initially called the Software Assurance (SwA) Forum and Working Groups, was initiated in 2003 as a Department of Homeland Security (DHS)-sponsored Cross-Sector Cyber Security Working Group (CSCSWG) established under auspices of the Critical Infrastructure Partnership Advisory Council (CIPAC) that provides legal framework for public-private collaboration and participation. Its purpose was to bring together a stakeholder community to protect the Nation’s key information technologies, most of which are enabled and controlled by software.  Over time, the community evolved and broadened the scope to include additional focus on the supply chain. Events were held quarterly; Summer and Winter sessions were intended for working group-type discussions while the Spring and Fall sessions were reserved for more traditional forum presentations.


As of 2014, the Forums are operated under the Chatham House Rule, meaning “participants are free to use the information received, but neither the identity nor the affiliation of the speaker(s), nor that of any other participant, may be revealed”. On occasion, a speaker may wish to provide their slides to the group, in which case links to those presentations will be embedded in the corresponding agendas here:

Agendas and presentations for events prior to 2014 are not available.

  • June 25-27, 2013
  • March 5-7, 2013
  • September 18-20, 2012
  • June 26-28, 2012 (Part 2)
  • June 26-28, 2012 (Part 1)
  • March 26-29, 2012
  • November 28-December 2, 2011
  • September 12-16, 2011
  • February 28-March 4, 2011
  • December 14-16, 2010
  • June 21-23, 2010

Created May 24, 2016, Updated May 11, 2021