Government agencies face weak software supply chain security capabilities and lack cross-departmental coordination mechanisms. Method: This study convened 14 domain practitioners from 10 government departments and employed qualitative methods—including structured focus groups, case-based analysis, and consensus-building workshops—to co-develop a cross-departmental dialogue platform tailored to operational government needs. Contribution/Results: The study proposes an innovative public-sector–specific software supply chain security governance framework, comprising (1) policy implementation pathways, (2) a supplier tiered-assessment model, (3) an SBOM (Software Bill of Materials) deployment guideline, and (4) a multi-stakeholder incident response coordination mechanism. Findings yield an actionable set of recommendations that foster substantive alignment among government, industry, academia, and research institutions on pilot implementation, shared risk governance, and institutional co-creation—thereby providing both theoretical grounding and a practical paradigm for national critical infrastructure software supply chain security governance.

Supply chain security has become a very important vector to consider when defending against adversary attacks. Due to this, more and more developers are keen on improving their supply chains to make them more robust against future threats. On August 29, 2024 researchers from the Secure Software Supply Chain Center (S3C2) gathered 14 practitioners from 10 government agencies to discuss the state of supply chain security. The goal of the summit is to share insights between companies and developers alike to foster new collaborations and ideas moving forward. Through this meeting, participants were questions on best practices and thoughts how to improve things for the future. In this paper we summarize the responses and discussions of the summit.