Published  
November 13, 2025

Securing the public sector software supply chain with the CNCF

Ant Newman
Director of Cntent

On November 11, Spectro Cloud’s William Crum, a U.S. Marine Corps veteran, joined peers from Lockheed Martin, Applied Research Associates, Defense Unicorns  and CNCF on stage at KubeCon + CloudNativeCon North America.

The panel, hosted by the CNCF Public Sector User Group, marked the culmination of nearly a year of collaboration: the release of the new Public Sector Software Supply Chain white paper, a blueprint for building trust, transparency, and resilience in government and defense software systems.

“This white paper specifically tries to design an implementation guide for defining and creating a secure software supply chain,” said William Crum of Spectro Cloud. “What we do in the 15 pages is define consumers of these pieces of software, define the defense producers... and then how can we share that in an ecosystem where developing software is at a crossroads of sharing software, not necessarily something I tell the government to download from my release artifact in GitHub.”

A mission of open collaboration

The CNCF Public Sector User Group, founded in 2023, brings together government technologists and contractors to apply cloud native principles — automation, openness, and scalability — to the unique constraints of the public sector: air-gapped environments, classified networks, and strict compliance regimes.

As moderator Ihor Dvoretskyi of CNCF noted:

“We are facing literally the same issues that many of you may face — not just in the public sector, but any kind of private sector... One of the biggest pain points in the entire ecosystem is supply chain issues.”

He explained that while public sector teams want to benefit from open source tooling, they must do so under conditions “where you're not able to literally use the global internet” and must “implement your own infrastructure and connect the patterns or distribute the artifacts all across your ecosystem.”

The group’s answer to these challenges is a community-driven framework that translates open source best practices into actionable architectures for defense and government systems.

Building trust across the chain

Lockheed Martin’s Daniel Moch, lead author of the white paper, emphasized why this work matters:

“Our customer is the government, and the government is seeing what the cloud-native community is doing... They want the speed. They want the cost savings. They want all of that. At the same time, software development is as complex as it has ever been... Supply chain security is obviously paramount and a big contributor to that complexity.”

He announced with pride:

“As of just a couple days ago, we finally, finally got [the white paper] published… It’s all about securing software supply chains.”

That white paper — now available here — details a practical reference architecture for secure software supply chains (S3C), aligned with NIST and CISA guidance. It breaks the challenge into a few key functional stages:

  1. Establish trust — verifying digital identity and authority using tools like Keycloak and Sigstore to issue trustworthy signatures.
  2. Generate — producing signed attestations, SBOMs, and verifiable provenance data during builds.
  3. Share and verify — distributing artifacts securely across trusted networks, with continuous monitoring, via tools like Harbor, Dependency-Track, and OPA.

At its core, the framework shows that security and transparency are mutual enablers of agility.

A shared foundation for government and industry

Crum explained that the work goes beyond tooling into unifying practices across contractors, agencies, and open source contributors:

“We define the flow from top to bottom — I develop software, I develop software that has signed attestations, SBOMs, and signatures that the government can trust, and then push all that to a shared ecosystem, which the government can then take control of and put additional controls around.”

He credited open technologies like Sigstore, Rekor, and Archivista for making these capabilities practical:

“Every time I sign my code, it is proven. When I ship code, all of that is something I can attest or look back onto.”

KubeCon session panel

From white paper to action

Hari Kunduru of Applied Research Associates tied the discussion to the realities of federal procurement and compliance:

“If you're up to date with current events, you know that the Golden Dome of America is coming… billions and billions of dollars that federal contractors are going to be eligible to bid on. And with this new wave of contracts… they need receipts — SBOMs and all sorts of things.”

He introduced what he called “Military Appellate Materials” — a concept for enhanced SBOMs that incorporate attestations and CISA-compliant evidence, effectively giving defense programs a “receipt of everything that you put into a package that you give to the government.”

This idea echoes the white paper’s roadmap: contractors can begin adopting the consumer side of the architecture today, while government agencies build shared infrastructure to support secure collaboration across the defense industrial base.

Giving back to the community

For the participants — many of them veterans or defense technologists — the work carries a personal dimension. Dvoretskyi opened the session by thanking all who have served, acknowledging the symbolic weight of presenting this work on November 11.

As Crum summarized later:

“One of our asks as the user group is just sharing a lot of the Linux Foundation and Cloud Native Computing Foundation projects... Oftentimes you'll probably find a project that has already done something you're looking to do. So just sharing that with the people that we work with and with the service members that need it.”

It’s a sentiment that captures the spirit of open source in the public sector — collaboration as a form of service.

Will Crum speaking about software supply chain

Why this matters, and what’s next

The white paper may be a technical document, but it provides a policy pathway for the public sector to meet the requirements of Executive Order 14028 and CISA’s minimum SBOM elements, while giving smaller suppliers a practical framework to comply without being left behind.

The CNCF Public Sector User Group’s work — and Spectro Cloud’s contributions to it — underscore a shared belief: securing Kubernetes and open source infrastructure is a national imperative, and it can only be achieved through openness, transparency, and collaboration.

Download the full CNCF Public Sector Software Supply Chain white paper here: https://bit.ly/cncf-ssc