NetRise Announces Partner-Led Managed Software Supply Chain Risk Management Offering for the Federal Market
New offering helps federal agencies operationalize software supply chain risk management with binary-derived evidence and provenance context for a more complete view of software risk
"Federal agencies are being asked to make software supply chain risk management operational, not just aspirational," said
The offering is designed to help partners deliver software supply chain risk management as an operational capability across acquisition, authorization, continuous monitoring and incident response. Three recent federal actions bear directly on this work.
- CISA Binding Operational Directive 26-04, Prioritizing Security Updates Based on Risk (
June 10, 2026 ), requires federal civilian agencies to prioritize remediation by asset exposure and known exploited vulnerability status, which is only as accurate as an agency's understanding of the software actually running on each asset. - The AI executive order, Promoting Advanced Artificial Intelligence Innovation and Security (
June 2, 2026 ), responds to AI compressing the time between vulnerability disclosure and exploitation, raising the premium on fast and accurate software inventory. - The post-quantum cryptography executive order, Securing the Nation Against Advanced Cryptographic Attacks (
June 22, 2026 ), sets 2030 and 2031 migration deadlines and directs CISA and NIST to define a cryptographic bill of materials, which depends on visibility into the cryptographic algorithms embedded in deployed software and firmware.
NetRise starts from the binary to create an independent, full-stack software asset inventory across firmware, operating systems, containers and applications. NetRise Provenance adds a complementary layer of software supply chain context by mapping components to canonical repositories, contributors, maintainers, organizations and regions, while surfacing repository health signals and dependency blast radius - the extent of downstream impact when an open-source component is compromised - to help teams make better third-party risk, procurement and incident response decisions. Together, these capabilities help partners support federal agencies in several important ways:
- Validate vendor-provided SBOMs against compiled artifacts and build a binary-derived inventory of the software that actually executes, giving agencies the asset-level software context that BOD 26-04 prioritization depends on
- Enrich that inventory with provenance context, including software origin, contributor and maintainer signals, repository health and dependency blast radius
- Identify the cryptographic algorithms and libraries present in compiled software and firmware, supporting the cryptographic inventory and bill-of-materials work the post-quantum executive order requires
- Support federal workflows spanning vendor onboarding, RMF and ATO activities, continuous monitoring and faster scoping of software supply chain incidents, at the speed AI-accelerated exploitation timelines now demand
"Federal agencies can't manage what they can't see — and the teams we support don't just need better tools, they sometimes need a trusted partner who can operationalize those capabilities inside their environments," said Sarn
"Recent software supply chain incidents have made one thing clear: As attackers shift left and move further upstream, agencies and their partners cannot focus only on development-time controls," said Pace. "They also need to shift right and gain visibility into the software that is already running in production. When you combine binary analysis of what you actually build, buy and deploy with provenance intelligence about who is behind that software and how risk can spread, you can make better third-party risk decisions, respond faster and build more resilient federal systems."
Resources:
NetRise Provenance Data Sheet
About NetRise
NetRise is the software supply chain security company that exists to eliminate blind trust in software forever. By identifying every component in each binary image across firmware, kernels, operating systems, containers, and applications, NetRise exposes the full stack of inherited risk that source-based tools, vendor SBOMs, and questionnaires cannot see. Non-code related risk uncovered includes hidden dependencies, cryptographic artifacts, misconfigurations, secrets, among others. Global enterprises that produce and consume software, including government agencies, rely on NetRise to validate what they ship and what they run. When the software supply chain is compromised by bad actors, NetRise answers the questions, "how far do these compromises extend?" and "where am I exposed?" enabling rapid identification, prioritization, mitigation, and policy updates, reducing material risk to the business. NetRise has entered into an agreement to be acquired by
Media Contact:
Danielle Ostrovsky
Hi-Touch PR
Ostrovsky@Hi-TouchPR.com
View original content to download multimedia:https://www.prnewswire.com/news-releases/netrise-announces-partner-led-managed-software-supply-chain-risk-management-offering-for-the-federal-market-302814983.html
SOURCE NetRise