A critical aspect of the U.S. government’s effectiveness is the dependability, trustworthiness, and survivability of the ICT on which its ability to perform its functions, activities, services, and missions relies. But as our adversaries find their efforts to compromise government information systems and networks increasingly confounded by the expanded reach and effectiveness of information assurance and cyber security controls and countermeasures, they seek new targets and avenues of attack. Among these: the supply chain for software products that are the “building blocks” of those systems and networks. Supply chain attacks attempt to either proactively compromise those building blocks before they can be deployed in systems or networks, or to delay or prevent their delivery when and where they are needed. The focus of this presentation is on security risks in the supply chain for off-the-shelf software products, including commercial-off-the-shelf (COTS) and government-off-the-shelf (GOTS), open source, shareware, and free software. These include supply chain risks that involve intentional acts that compromise the integrity, trustworthiness, or availability of flows, products, or data in the off-the-shelf software supply chain, regardless of the motivation for those acts.