Frequent and increasingly sophisticated software supply chain attacks pose systemic security threats to critical infrastructure, while existing security frameworks suffer from fragmented lifecycles, misalignment with regulatory requirements, and significant coverage gaps. Method: This study integrates ISO/IEC 27001, NIST SSDF, and Australian critical infrastructure security regulations to propose a multidimensional analytical framework grounded in the “4W+1H” paradigm (Who, What, When, Where, and How), systematically mapping and unifying security practices across the full lifecycle, multiple stakeholder roles, and implementation tiers. Contribution/Results: We distill ten core security practices, identify critical infrastructure–specific coverage gaps in current standards, and develop a contextualized assessment checklist comprising 80 structured questions. The framework enables cross-organizational collaborative governance and advances a context-aware, integrated software supply chain security posture.

The increasing frequency and sophistication of software supply chain attacks pose severe risks to critical infrastructure sectors, threatening national security, economic stability, and public safety. Despite growing awareness, existing security practices remain fragmented and insufficient, with most frameworks narrowly focused on isolated life cycle stages or lacking alignment with the specific needs of critical infrastructure (CI) sectors. In this paper, we conducted a multivocal literature review across international frameworks, Australian regulatory sources, and academic studies to identify and analyze security practices across the software supply chain, especially specific CI sector. Our analysis found that few existing frameworks are explicitly tailored to CI domains. We systematically leveraged identified software supply chain security frameworks, using a "4W+1H" analytical approach, we synthesized ten core categories (what) of software supply chain security practices, mapped them across life-cycle phases (when), stakeholder roles (who), and implementation levels (how), and examined their coverage across existing frameworks (where). Building on these insights, the paper culminates in structured, multi-layered checklist of 80 questions designed to relevant stakeholders evaluate and enhance their software supply chain security. Our findings reveal gaps between framework guidance and sector-specific needs, highlight the need for integrated, context-aware approaches to safeguard critical infrastructure from evolving software supply chain risks.