The NIST SSDF (SP 800-218) serves as the focal point for capturing and operationalizing U.S. government software security expectations. In February, SP 800-218 replaced the original 2020 NIST cybersecurity white paper, formalizing the SSDF as the government’s seminal software security organizing construct.
The document describes a set of foundational practices for secure software development and is organized into four core principles.
- Prepare the organization: People, process, and technology should be adequately prepared to perform and sustain secure software development.
- Protect the software: Organizations should protect all components of their software from tampering and unauthorized access.
- Produce well-secured software: Organizations should produce well-secured software with minimal vulnerabilities.
- Respond to vulnerabilities: Organizations should identify vulnerabilities and respond appropriately.
Once the software is built in a way that minimizes risk, it must be distributed in a way that detects or prevents malicious tampering. This includes detecting and preventing malicious exploits that could be compiled into the software packages by a compromised build pipeline, or allowing compromised distribution channels to insert malware or backdoors into the software. When securing delivery channels, any software that is uploaded should undergo binary software composition analysis (SCA) to ensure that the package is free from vulnerable components. The binary analysis results should also be compared to the SBOM generated by the developers, and any discrepancies should be investigated.