The nation’s reliance on computer software to run and manage critical business services has increased dramatically over many decades and only continues to grow. But with this reliance comes risk. The increasing rate of and impact from the exploitation of software vulnerabilities has caused billions of dollars of damage and losses to thousands of companies across the world. And the malicious compromise—or even accidental failure—of software threatens firms across all industries throughout the United States. For example, the NotPetya and WannaCry ransomware attacks caused tens of billions of dollars of losses globally, and the disclosure of the software vulnerabilities Heartbleed in 2014 (Lee, 2015) and log4j in 2021 (Tan, 2022) affected hundreds of millions of devices. The compromise of the SolarWinds software in 2019 (Greig, 2022) became a potent reminder of the fragility of the U.S. dependence on modern software applications and of the potential harms to corporate balance sheets, customer data, and sensitive government records.

Moreover, an increasing number of modern software applications are being built on a foundation of third-party and open-source software components, developed by thousands of professional and volunteer contributors across the world. This complexity and decentralized nature of the modern software ecosystem mean that firms are becoming more separated from the oversight of the software that runs