In December 2020, cybersecurity firm FireEye (now Mandiant) disclosed that it had been breached by a sophisticated threat actor. The investigation that followed revealed one of the most significant supply chain compromises in history: attackers had inserted malicious code into SolarWinds' Orion software build process, distributing a backdoor known as SUNBURST to approximately 18,000 organizations through legitimate software updates. Five years later, the SolarWinds attack remains the defining moment for software supply chain security. But has the industry actually changed?
What Happened: A Brief Recap
The threat actor, attributed by U.S. intelligence agencies to Russia's SVR foreign intelligence service (tracked as APT29 or Cozy Bear), compromised SolarWinds' build system as early as October 2019. Between March and June 2020, trojanized updates to the Orion IT monitoring platform were distributed to SolarWinds customers worldwide. Among the confirmed victims were the U.S. Treasury Department, the Department of Commerce's National Telecommunications and Information Administration (NTIA), the Department of Homeland Security, the State Department, parts of the Pentagon, and the Department of Energy, including the National Nuclear Security Administration.
The attack remained undetected for approximately nine months. It was discovered not by any government agency or SolarWinds itself, but by FireEye, which detected the compromise of its own red team tools and traced it back to the SolarWinds update.
What Improved After SolarWinds
Executive Order 14028 (May 2021)
Five months after the SolarWinds disclosure, President Biden signed Executive Order 14028, "Improving the Nation's Cybersecurity." The order directed sweeping changes to how the federal government approaches software security, including requirements for software vendors selling to the government to provide Software Bills of Materials (SBOMs), attest to secure development practices, and meet enhanced security standards. The order also directed NIST to publish guidance on secure software development (resulting in the Secure Software Development Framework, SSDF).
SBOM Requirements
The concept of a Software Bill of Materials — a machine-readable inventory of all components in a software product — moved from niche concept to mainstream requirement after SolarWinds. The NTIA published minimum elements for SBOMs in July 2021. CISA has since championed SBOM adoption across critical infrastructure sectors. While SBOM adoption remains uneven, the awareness and infrastructure for software transparency have improved dramatically.
CISA Secure by Design Initiative
CISA launched its Secure by Design initiative in 2023, calling on software manufacturers to take ownership of security outcomes rather than shifting responsibility to customers. The initiative published principles including designing products that are secure out of the box, taking radical transparency in security practices, and building organizational structures that prioritize security. Over 200 companies signed CISA's Secure by Design Pledge by 2025.
FedRAMP Modernization
The Federal Risk and Authorization Management Program (FedRAMP) underwent significant modernization following SolarWinds. The FedRAMP Authorization Act, signed into law as part of the FY2023 National Defense Authorization Act, codified FedRAMP into law and directed the program to accelerate the authorization process while enhancing security requirements for cloud service providers serving federal agencies.
| Improvement | Status (December 2025) |
|---|---|
| Executive Order 14028 | Issued May 2021; SBOM and attestation requirements being implemented |
| SBOM Adoption | Growing but uneven; federal government requiring from vendors |
| CISA Secure by Design | 200+ companies signed pledge; awareness high, implementation ongoing |
| FedRAMP Modernization | Codified into law; modernization ongoing |
| NIST SSDF (SP 800-218) | Published February 2022; referenced in federal acquisition requirements |
What Has Not Changed
Despite the significant policy and awareness improvements, several fundamental gaps in third-party risk management remain stubbornly persistent:
Questionnaire-Only TPRM Still Dominates
The vast majority of organizations still rely primarily on security questionnaires — vendor self-assessments that are completed once a year and filed away. Questionnaires capture a point-in-time snapshot that may not reflect the vendor's actual security posture, and they are inherently limited by the honesty and accuracy of the vendor's responses. The SolarWinds attack would not have been caught by any questionnaire; it required the kind of continuous monitoring and build-process integrity verification that most TPRM programs still lack.
TPRM Budgets Remain Insufficient
While awareness of supply chain risk has increased, budgets for TPRM tools and staff have not kept pace. Many security teams report that TPRM is an "unfunded mandate" — leadership expects vendor risk management but does not allocate dedicated resources for it. This gap disproportionately affects small and mid-sized organizations.
Fourth-Party Visibility Remains Poor
SolarWinds was a vendor to approximately 300,000 organizations. The attack demonstrated that risk extends not just to your direct vendors but to your vendors' vendors. Yet most TPRM programs still have minimal visibility into fourth-party and nth-party risks. The tools and practices for managing these deeper supply chain dependencies remain immature.
Software Build Integrity Is Still Hard
While SBOMs and secure development attestations are important steps forward, verifying the integrity of a vendor's software build process remains extremely difficult. The SolarWinds attackers compromised the build system itself, meaning the malicious code was compiled into the official product. Detecting this kind of supply chain injection requires capabilities that most organizations — and most vendors — do not have.
The SolarWinds SEC Settlement
In October 2023, the SEC filed a civil action against SolarWinds Corporation and its Chief Information Security Officer, Timothy Brown, alleging fraud and internal control failures related to cybersecurity risks and vulnerabilities. The SEC alleged that SolarWinds overstated its security practices in public filings while internal documents showed known vulnerabilities. In July 2024, a federal judge dismissed most of the SEC's claims against SolarWinds but allowed certain claims related to the initial public disclosure of the breach to proceed. The case continues to set precedent for CISO liability and corporate cybersecurity disclosures.
The Path Forward
Five years after SolarWinds, the question is no longer whether supply chain attacks are a serious threat — that debate is settled. The question is whether organizations will translate their awareness into action. The tools, frameworks, and policy guidance now exist. What remains is the will to implement them consistently across the vendor ecosystem.
Protect Your Organization from Third-Party Risk
Fair TPRM is a free, open-source platform for vendor risk management, GRC compliance, and FAIR risk quantification.
Free Demo Download SourceSources & References
- Executive Order 14028: Improving the Nation's Cybersecurity - The White House, May 2021
- Secure by Design - CISA
- SEC Charges SolarWinds and Its CISO with Fraud and Internal Control Failures - SEC Press Release, October 2023
- NIST SP 800-218: Secure Software Development Framework (SSDF) - NIST, February 2022
- Software Bill of Materials (SBOM) - CISA
- FY2023 National Defense Authorization Act (FedRAMP Authorization Act) - U.S. Congress