NIST has finalized SP 800-218A, Secure Software Development Practices for Generative AI and Dual-Use Foundation Models: An SSDF Community Profile. This publication augments SP 800-218 by adding practices, tasks, recommendations, considerations, notes, and informative references that are specific to AI model development throughout the software development life cycle. The Profile supports Executive Order (EO) 14110, Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence.
To gather input for SP 800-218A in support of EO 14110, NIST held a virtual workshop on Secure Development Practices for AI Models on January 17, 2024. A recording of the workshop can be viewed on NIST's website.
NIST Special Publication (SP) 800-218, Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities has been posted as final, along with a Microsoft Excel version of the SSDF 1.1 table. SP 800-218 includes mappings from Executive Order (EO) 14028 Section 4e clauses to the SSDF practices and tasks that help address each clause. Also, see a summary of changes from version 1.1 and plans for the SSDF.
SSDF Practices | SSDF Use | New in Version 1.1 | NIST Plans | Contact Us
The Secure Software Development Framework (SSDF) is a set of fundamental, sound, and secure software development practices based on established secure software development practice documents from organizations such as BSA, OWASP, and SAFECode. Few software development life cycle (SDLC) models explicitly address software security in detail, so practices like those in the SSDF need to be added to and integrated with each SDLC implementation.
Following the SSDF practices should help software producers reduce the number of vulnerabilities in released software, reduce the potential impact of the exploitation of undetected or unaddressed vulnerabilities, and address the root causes of vulnerabilities to prevent recurrences. Also, because the SSDF provides a common language for describing secure software development practices, software producers and acquirers can use it to foster their communications for procurement processes and other management activities.
The SSDF practices are organized into four groups:
Each practice is defined with the following elements:
SSDF version 1.1 is defined in NIST SP 800-218, Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities. NIST SP 800-218 replaces the NIST Cybersecurity White Paper, Mitigating the Risk of Software Vulnerabilities by Adopting a Secure Software Development Framework (SSDF) that defined SSDF version 1.0.
The SSDF can help an organization to align and prioritize its secure software development activities with its business/mission requirements, risk tolerances, and resources. The SSDF’s practices are outcome-based. Comparing the outcomes an organization is currently achieving to the SSDF’s practices may reveal gaps to be addressed. An action plan to address these gaps can aid in setting priorities that take into consideration the organization’s mission and business needs and its risk management processes.
In addition to risk, factors such as cost, feasibility, and applicability should be considered when deciding which SSDF practices to use and how much time and resources to devote to each practice. Automatability is an important factor to consider, especially for implementing practices at scale. Also, some practices are more advanced than others and have dependencies on certain foundational practices already being in place.
The SSDF’s practices, tasks, and implementation examples represent a starting point to consider; they are meant to be changed and customized, and to evolve over time. The intention of the SSDF is not to create a checklist to follow, but instead to provide a basis for planning and implementing a risk-based approach to adopting secure software development practices and continuously improving software development.
The most noteworthy changes in SSDF from the original to version 1.1 are:
For more details, see the change log in Appendix C of SP 800-218. The SP 800-218 landing page also includes supplemental files showing the significant changes from the original SSDF version 1.0 white paper and from the SP 800-218 public draft.
NIST has been considering next steps for the evolution of the SSDF. It will be updated periodically to reflect your inputs and feedback, and we encourage you to share your thoughts with us as you implement the SSDF within your own organization and software development efforts. Having inputs from a variety of software producers will be particularly helpful to us in refining and revising the SSDF.
Additional actions under consideration include the following:
Your comments and suggestions for the SSDF project are always welcome. Contact us at ssdf@nist.gov.
Security and Privacy: systems security engineering, vulnerability management
Technologies: artificial intelligence, software & firmware
Laws and Regulations: Executive Order 14028, Executive Order 14110