Thanks for your help in shaping SSDF version 1.1! The public comment period for NIST Draft Special Publication (SP) 800-218, Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities is now closed.
NIST used findings from the June 2-3, 2021 virtual workshop in support of NIST's responsibilities under Executive Order 14028 to shape SSDF version 1.1.
Has your organization produced a set of secure software development practices? If you want to map those practices to the SSDF, please contact us at ssdf@nist.gov so we can introduce you to the National Online Informative References (OLIR) Program. You can contribute your mapping to our collection of informative references.
SSDF Value | SSDF Practices | NIST Plans | Contact Us
The Secure Software Development Framework (SSDF) is a set of fundamental, sound, and secure software development practices based on established secure software development practice documents from organizations such as BSA, OWASP, and SAFECode. Few software development life cycle (SDLC) models explicitly address software security in detail, so practices like those in the SSDF need to be added to and integrated with each SDLC implementation.
Key practices in the SSDF include:
Following the SSDF practices should help software producers reduce the number of vulnerabilities in released software, mitigate the potential impact of the exploitation of undetected or unaddressed vulnerabilities, and address the root causes of vulnerabilities to prevent future recurrences. Also, because the SSDF provides a common vocabulary for secure software development, software consumers can use it to foster communications with suppliers in acquisition processes and other management activities.
The SSDF practices are organized into four groups:
Each practice is defined with the following elements:
The SSDF version 1.0 practices are defined in the NIST Cybersecurity White Paper, Mitigating the Risk of Software Vulnerabilities by Adopting a Secure Software Development Framework (SSDF).
NIST is currently updating the SSDF to version 1.1. Changes that NIST has adopted include the following:
NIST used findings from the June 2-3, 2021 virtual workshop in support of NIST's responsibilities under Executive Order 14028 to shape SSDF version 1.1. The new SSDF draft also includes mappings from EO 14028 clauses to the SSDF practices and tasks that help address each clause.
There has also been considerable interest from industry and others in NIST illustrating how the SSDF can be applied to particular SDLC models, especially transitioning DevOps implementations to DevSecOps. For more information on this, see the NIST DevSecOps project site.
Your comments and suggestions for the SSDF project are always welcome. Contact us at ssdf@nist.gov.
Security and Privacy: systems security engineering, vulnerability management
Technologies: software & firmware
Laws and Regulations: Executive Order 14028