This study addresses the growing threat to software supply chain security, particularly vulnerabilities within critical government systems, by systematically examining challenges from a governmental perspective. It convenes twelve representatives from six U.S. government agencies to engage in structured discussions on six key topics: Software Bill of Materials (SBOM), regulatory compliance, malicious commits, build infrastructure integrity, security culture, and the implications of large language models (LLMs). Employing methods including facilitated workshops, comparisons with industry summits, and multi-stakeholder dialogues, the project produces a comprehensive government-level report that integrates emerging technologies like LLMs into the security framework. The findings not only inform policy development but also foster collaborative research among government, industry, and academia, providing a foundational reference for future strategic and scholarly efforts.

Software supply chains, while providing immense economic and software development value, are only as strong as their weakest link. Over the past several years, there has been an exponential increase in cyberattacks specifically targeting vulnerable links in critical software supply chains. The attacks disrupt day-to-day functioning and threaten the security of nearly everyone on the internet, from billion-dollar companies and government agencies to hobbyist open-source developers. The evolving threat of software supply chain attacks has garnered interest from both the software industry and governments worldwide in improving software supply chain security. On Thursday, July 9th, 2025, 3 researchers from the NSF-backed Secure Software Supply Chain Center (S3C2) conducted a Secure Software Supply Chain Summit with a diverse set of 12 participants from 6 US government agencies. The goals of the Summit were: (1) to enable sharing between participants from different industries regarding practical experiences and challenges with software supply chain security; (2) to help form new collaborations; and (3) to learn about the challenges facing participants to inform our future research directions. The summit consisted of discussions of six topics relevant to the government agencies represented, including software bill of materials (SBOMs); compliance; malicious commits; build infrastructure; culture; and large language models (LLMs) and security. For each topic of discussion, we presented participants with a list of questions to spark conversation and an overview of the discussions of two industry summit held in the past year. In this report, we provide a summary of the summit. The initial discussion questions for each topic are provided in the appendi