Choosing a software supply chain security framework


Charles A. Jacco

Charles A. Jacco

Principal, Cyber Security, KPMG US

+1 212-954-1949

Caleb Queern

Caleb Queern

Director, Cyber Security, KPMG US

+1 571-228-8011

Choosing a software supply chain security framework: SLSA vs CIS

Recent incidents related to third-party software dependencies have highlighted the importance of software supply chain security, and how disastrous the outcomes can be if a secure development process is not followed.1 These events have led to the creation of two new frameworks: the Supply-chain Levels for Software Artifacts (SLSA) framework with noteworthy leadership from Google, and the Software Supply Chain Security Guide from the Center for Internet Security (CIS). Both provide detailed requirements around integrating security within your software supply chain processes.2

Why is it important to use a software supply chain security framework?

Software supply chain security helps ensure that your software development process remains secure. The related threat landscape has grown far beyond first-party source code changes and encompasses the surrounding activities: the build pipelinethird-party dependency usage, artifact storage, and delivery to consumers.3 4 A framework provides detailed controls that can be implemented to improve security and demonstrate to your customers that you have taken steps to mitigate risks. After President Biden’s “Executive Order on Improving the Nation’s Cyber security”, the use of a software supply chain security framework became a requirement for federal agencies and contractors as well.5

Supply-chain Levels for Software Artifacts (SLSA) framework

The SLSA framework is a checklist of requirements for secure software development, including four implementation levels of varying sophistication. These levels allow an organization of any maturity to get started by adopting one level at a time. SLSA was developed by a vendor-neutral steering committee and is based on processes that have been in place at Google since 2013. Overall, the framework is concise and compact ranging from just two controls required for SLSA Level 1, to 20 controls to meet SLSA Level 4. Currently on version 0.1, the SLSA Framework can be expected to increase its maturity quickly in the next year.

CIS’s Software Supply Chain Security Guide

The CIS Guide is a detailed charter around how to develop a better practice secure development program, broken into steps that are aligned to phases of the software development lifecycle. The document contains 173 controls with detailed descriptions, rationales, audit instructions, and remediation steps. This level of detail makes this guide ideal for security practitioners who may need to justify the importance of each control to developers and executives. The framework was developed by the Center for Information Security, along with several other technology companies, and is overall a great fit for organizations that want to improve established software supply chain programs.

Which one should you choose?

If your organization is just starting out on the journey to better software supply chain security, the SLSA framework provides you with some great first steps to take and could even be the right balance of effort and insights for risk reduction. You can visit their “Get Started Guide” to learn more. If you are a security professional at a company with established software security policies, CIS’s framework can provide you with many valuable candidate controls to strengthen your overall security posture and increase buy-in with developers and executives.

Reach out to KPMG for assistance in picking and adopting the right framework so that your business can remain secure while delivering software to customers quickly.6


The KPMG name and logo are registered trademarks or trademarks of KPMG International.

  1. KPMG LLP (US), "Five keys to effective DevSecOps", (August 19, 2021).
  2. KPMG LLP (US), "Integrating security into your DevOps environment", (June 11, 2019).
  3. KPMG LLP (US), "Security monitoring for software build pipelines", (March 19, 2021).
  4. KPMG LLP (US), "Which teams in my organization can help reduce risk using SBOMs", (May 26, 2020).
  5. KPMG LLP (US), " Rebooting DevOps security by design", (December 1, 2021).
  6. The White House, "Executive Order on Improving the Nation’s Cybersecurity", (May 12, 2021).