Skip to main content
Best PracticesEmerging TechnologyEvent TakeawaysFederal Government

Securing Software Supply Chains: Critical Infrastructure Priorities for 2026

By December 5, 2025No Comments6 min read

Securing Software Supply Chains: Critical Infrastructure Priorities for 2026

As 2025 comes to a close, the pressure on software supply chains that support critical infrastructure has never been greater. AI-generated code is rapidly expanding the attack surface, third-party dependencies are straining oversight, and compliance expectations are shifting faster than many teams can operationalize effectively. Leaders across the public sector are being asked not just to secure their systems, but to rethink how risk is measured, managed, and shared.

On December 4, Leadership Connect and Sonatype brought together cybersecurity leaders with insights from across the viewpoints of federal oversight, research and development, city government, and industry to unpack what’s changed, and what’s needed, to secure software supply chains in 2026. The discussion surfaced urgent themes: visibility gaps in AI and open-source components, challenges aligning compliance with operations, and the need for better coordination across security, policy, and procurement teams.

Couldn’t attend the session live? Watch the whole webinar here and make sure to follow our  Events Page to get in on the next conversation. Below are the key themes that shaped the discussion!

AI and Open Source Have Redefined Supply Chain Risk

One of the clearest takeaways from the session was the rapidly shifting nature of supply chain risk driven by AI-generated and open-source code. These components are often introduced into development environments without the same level of review or traceability that previously defined software procurement practices.

Participants pointed to the speed at which these tools are being adopted and the difficulty in assessing the origin or behavior of the resulting software. At the same time, attackers are increasingly using the same technologies to scale operations and exploit gaps faster than many organizations can detect them.

Managing these risks now requires more than traditional security checks. It involves understanding the source of every component, validating behavior continuously, and recognizing the expanded role automation plays in both development and exploitation.

Organizational Resilience Starts with Role Clarity

The conversation emphasized that many challenges around security response are not technical. They are structural. When something goes wrong, confusion over who is responsible for which part of the response often slows resolution and increases damage.

Speakers discussed the need for operational clarity including clearly defined roles, shared knowledge of systems, and consistent communication across departments. When everyone knows their part in a response, whether in cybersecurity, procurement, or leadership, organizations can respond faster and more effectively.

This also means shifting away from reactive blame. Building resilience requires equipping people with the tools and decision-making authority to act quickly, especially when working across siloed teams.

Third-Party Oversight Remains a Work in Progress

Despite increased awareness, oversight of external vendors and third-party software remains inconsistent across agencies and organizations. In many cases, there is a lack of visibility into what components are used, how they were built, or what risks they may introduce.

Panelists highlighted that even basic vendor inventories can be incomplete or out of date. Without a clear picture of the broader software ecosystem, including dependencies embedded by vendors themselves, efforts to assess or improve security remain limited.

Heading into 2026, there is momentum to strengthen these processes, but many teams are still navigating how to build oversight into procurement, contracting, and development workflows in a sustainable way.

Modernization Is Not One-Size-Fits-All

Not every legacy system can or should be immediately replaced. Several participants emphasized that modernization efforts need to be guided by context including what a system does, what data it handles, and what the risks are if it fails.

The key is portfolio-level management. Agencies are starting to group systems by risk and business impact, then prioritize based on what can be contained, monitored, or safely transitioned over time. Some systems may require replacement, while others can be secured with the right controls in place.

Rather than pushing for universal modernization, the focus is shifting to making strategic choices that reflect operational reality.

Compliance Is Only as Strong as the Execution Behind It

The panel also explored the growing pressure to meet evolving cybersecurity requirements. But while frameworks and standards are advancing, implementation often lags due to unclear guidance, limited resources, or gaps in cross-functional coordination.

The result is uneven execution, where teams may be following the letter of the requirement but not the intent. Compliance is becoming less about checklists and more about embedding security into daily operations, procurement decisions, and long-term planning.

Organizations that succeed in 2026 will be those that align policy, operations, and security rather than treat them as separate priorities.

Future-Proofing Means Better Metrics and Stronger Collaboration

Looking ahead, the panel agreed that building secure supply chains will depend on better ways to measure progress and assess impact. Many current investments, whether in modernization, training, or tooling, are hard to quantify in terms of risk reduction.

The ability to justify cybersecurity decisions with meaningful metrics will be critical, especially in environments with limited budgets or competing priorities.

The discussion closed with an emphasis on collaboration across teams, agencies, and sectors. Whether sharing data, research, or lessons learned, the path forward depends on creating systems and relationships that allow security efforts to scale.

Final Thought: Progress Requires Alignment

Securing the software supply chain is not a static goal. It is an evolving process that touches nearly every aspect of operations. As threats continue to grow more complex, the key to progress will be alignment across roles, systems, vendors, and priorities.

The panel underscored that no single team or tool can meet this challenge alone. But with the right coordination and commitment, organizations can reduce risk, improve resilience, and better protect the infrastructure they serve.

Staying Connected to Secure What’s Next

As organizations prepare for the next phase of cybersecurity challenges, visibility and coordination are becoming just as important as technical defenses. When threats emerge across systems, teams, and vendors, the ability to quickly identify the right stakeholders, align responsibilities, and act with confidence can make all the difference.

Leadership Connect helps public sector leaders do just that — by delivering up-to-date insight into the people, roles, and relationships that shape decision-making across government and industry. Whether you’re responding to risk, managing complex portfolios, or driving long-term modernization, Leadership Connect supports the work of staying informed, connected, and prepared.

For a closer look at how Leadership Connect can support your mission, explore our products designed for cybersecurity, procurement, and cross-agency collaboration.

Stop Searching. Start Finding. Your Results Are Waiting.
Leadership Connect

Leadership Connect

We are a data-driven decision intelligence company focused on the public sector. We enable over 40,000 top-performers, leaders and new hires to make better and faster decisions every day in the policy and procurement communities.

You May Also Like

Artificial IntelligenceEmerging TechnologyFederal GovernmentSpotlight Interviews Government Shutdown Perspectives: An Interview with Lou Eichenbaum of ColorTokens

Government Shutdown Perspectives: An Interview with Lou Eichenbaum of ColorTokens

Sarah Clein
Sarah CleinNovember 12, 2025
Federal GovernmentNonprofits & AssociationsPolicySpotlight Interviews Government Shutdown Perspectives: An Interview with Alessandra Zimmermann of AAAS

Government Shutdown Perspectives: An Interview with Alessandra Zimmermann of AAAS

Sarah Clein
Sarah CleinNovember 10, 2025
Leading Through Uncertainty: Navigating Change Together Artificial IntelligenceBest PracticesEmerging TechnologyEvent TakeawaysFederal Government Leading Through Uncertainty: Navigating Change Together

Leading Through Uncertainty: Navigating Change Together

Leadership Connect
Leadership ConnectOctober 31, 2025