It seems like everyone is concerned about software supply chain security these days. There has been an increased focus on particularly, how to get a uniform, software supply chain security, including how to ensure that software producers are implementing basic secure software development practices.
In the US, the government has focused explicitly on uplifting software supply chain security in Section 4 of the Cybersecurity executive order, which followed NIST’s SSDF and, most recently, the OMB’s self-attestation requirement.
In the EU, legislators have been working on the Cyber Resilience Act. What do all of these regulations and requirements have in common? What can we expect to be the new best practices that cover compliance with each set of requirements? Are the requirements inherently different? Are there any sanctions scheduled for those who do not comply (either intentionally or through lack of resources)?