Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock (
) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Software Security in Supply Chains: Software Cybersecurity for Producers and Users
Section 4(e) of EO 14028 outlines 10 actions and outcomes to further secure software development. Since most subsections in this Appendix are specific to software producers and users, federal agencies that seek to implement those actions and achieve those outcomes should refer to SP 800-218 (see below).
A notable exception in NIST’s response to 4(e) is its Attesting to Conformity with Secure Software Development Practices, which outlines minimum recommendations for agency purchasers to require attestations from software suppliers.
This guidance considers both SSDF V1.1 and Attesting to Conformity with Secure Software Development Practices within the context of existing C-SCRM standards, tools, and recommended practices for federal agency acquirers, as mandated in Sections 4(c) and 4(d) of EO 14028.
Secure Software Development Framework (SSDF) Version 1.1
SSDF V1.1’s core set of high-level secure software development practices are fundamental for software producers and developers. They are also critical for federal agency acquirers who seek to use a common vocabulary with suppliers during acquisition and to augment their existing C-SCRM controls. Table 4 identifies likely areas of impact across supply chain acquisition and procurement activities.
Table F-4: C-SCRM Control and SSDF V1.1 Crosswalk
| Control Identifier | Control (or Control Enhancement) Name | C-SCRM Baseline | SSDF V1.1 Task(s) |
|---|---|---|---|
| SA-1 | Policy and Procedures | x | PO.1.1 |
| SA-3 | System Development Life Cycle | x | PO.2.1, PO.5.1 |
| SA-4 | Acquisition Process | x | PO.1.3, PW.4.1, PW.4.4 |
| SA-5 | System Documentation | x | PW.4.1, PW.9.2, RV.2.2 |
| SA-8 | Security and Privacy Engineering Principles | x | PO.1.1, PO.1.2, PO.2.2, PO.5.1, PS.1.1, PS.2.1, PS.3.1, PS.3.2, PW.1.1, PW.1.2, PW.4.4, RV.2.2 |
| SA-9(1) | External System Services | Risk Assessments and Organizational Approvals | PO.1.3 | |
| SA-9(3) | External System Services | Establish and Maintain Trust Relationship with Providers | PO.1.3, PW.4.4 | |
| SA-10 | Developer Configuration Management | PO.1.3, PS.1.1, PS.3.1, RV.1.1, RV.2.2 | |
| SA-11 | Developer Testing and Evaluation | PW.7.1, PW.7.2, PW.8.1, PW.8.2, RV.1.2, RV.2.2, RV.3.3 | |
| SA-15 | Development Process, Standards, and Tools | PO.1.1, PO.1.2, PO.1.3, PO.3.1, PO.3.2, PO.3.3, PO.4.1, PO.4.2, PO.5.1, PO.5.2, PW.6.1, PW.6.2, RV.3.4 | |
| SA-17 | Developer Security and Privacy Architecture and Design | PW.1.2 | |
| SR-3 | Supply Chain Controls and Processes | x | PO.1.1, PO.1.2, PO.1.3, PS.3.2, PW.4.1, PW.4.4, RV.1.1 |
| SR-4 | Provenance | PO.1.3, PS.3.1, PS.3.2, PW.4.1, PW.4.4, RV.1.1 | |
| SR-5 | Acquisition Strategies, Tools, and Methods | x | PO.1.3 |
| SR-9 | Tamper Resistance and Detection | PW.6.2 |
Content:
- Introduction
- Guidance, Purpose, Scope, and Audience
- EO-Critical Software and Security Measures for EO-Critical Software
- Software Cybersecurity for Producers and Users
- Software Verification
- Evolving Standards, Tools, and Recommended Practices
- Additional Existing Industry Standards, Tools, and Recommended Practices
- Frequently Asked Questions (FAQs)