NIST Special Publication (SP) 800-218, Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities has been posted as final, along with a Microsoft Excel version of the SSDF 1.1 table. SP 800-218 includes mappings from Executive Order (EO) 14028 Section 4e clauses to the SSDF practices and tasks that help address each clause. Also, see a summary of changes from version 1.1 and plans for the SSDF.
The Secure Software Development Framework (SSDF) is a set of fundamental, sound, and secure software development practices based on established secure software development practice documents from organizations such as BSA, OWASP, and SAFECode. Few software development life cycle (SDLC) models explicitly address software security in detail, so practices like those in the SSDF need to be added to and integrated with each SDLC implementation.
Following the SSDF practices should help software producers reduce the number of vulnerabilities in released software, reduce the potential impact of the exploitation of undetected or unaddressed vulnerabilities, and address the root causes of vulnerabilities to prevent recurrences. Also, because the SSDF provides a common language for describing secure software development practices, software producers and acquirers can use it to foster their communications for procurement processes and other management activities.
The SSDF practices are organized into four groups:
Each practice is defined with the following elements:
SSDF version 1.1 is defined in NIST SP 800-218, Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities. NIST SP 800-218 replaces the NIST Cybersecurity White Paper, Mitigating the Risk of Software Vulnerabilities by Adopting a Secure Software Development Framework (SSDF) that defined SSDF version 1.0.
The SSDF can help an organization to align and prioritize its secure software development activities with its business/mission requirements, risk tolerances, and resources. The SSDF’s practices are outcome-based. Comparing the outcomes an organization is currently achieving to the SSDF’s practices may reveal gaps to be addressed. An action plan to address these gaps can aid in setting priorities that take into consideration the organization’s mission and business needs and its risk management processes.
In addition to risk, factors such as cost, feasibility, and applicability should be considered when deciding which SSDF practices to use and how much time and resources to devote to each practice. Automatability is an important factor to consider, especially for implementing practices at scale. Also, some practices are more advanced than others and have dependencies on certain foundational practices already being in place.
The SSDF’s practices, tasks, and implementation examples represent a starting point to consider; they are meant to be changed and customized, and to evolve over time. The intention of the SSDF is not to create a checklist to follow, but instead to provide a basis for planning and implementing a risk-based approach to adopting secure software development practices and continuously improving software development.
The most noteworthy changes in SSDF from the original to version 1.1 are:
For more details, see the change log in Appendix C of SP 800-218. The SP 800-218 landing page also includes supplemental files showing the significant changes from the original SSDF version 1.0 white paper and from the SP 800-218 public draft.
Since finalizing SSDF version 1.1 in early 2022, NIST has been considering next steps for the evolution of the SSDF. It will be updated periodically to reflect your inputs and feedback, and we encourage you to share your thoughts with us as you implement the SSDF within your own organization and software development efforts. Having inputs from a variety of software producers will be particularly helpful to us in refining and revising the SSDF.
Additional actions under consideration include the following:
Your comments and suggestions for the SSDF project are always welcome. Contact us at firstname.lastname@example.org.