August 5, 2022

Last Updated on January 18, 2024

In response to direction in Executive Order 14028 from May 2021 on “Improving the Nation’s Cybersecurity,” the National Institute of Standards and Technology (NIST) revised and updated its special publication NIST 800-218, the Secure Software Development Framework (SSDF) version 1.1.

The SSDF makes “recommendations for mitigating the risk of software vulnerabilities” with the goal of ensuring that US government agencies are buying secure software and that security is factored in across the USG software supply chain. The SSDF also applies to critical infrastructure organizations, where vulnerable software could impact public safety, the economy, and national security.

If your business sells software to the US government, you’ll soon be mandated to show alignment/compliance with SSDF recommendations. But even if you’re not required to apply the SSDF to your software development lifecycle (SSDF), there are a number of excellent reasons to do so.

To share the relevance and benefits of the SSDF, Elzar Camper, Pivot Point Security’s Director of Cyber Security Solutions & Practices, joined a recent episode of The Virtual CISO Podcast. Hosting the show as always is John Verry, Pivot Point Security CISO and Managing Partner.

Raising the bar—sooner or later

Because it raises the security bar across the SDLC, alignment with the SSDF can confer competitive advantage for software vendors selling to security-aware entities like critical infrastructure orgs (e.g., healthcare, manufacturing, financial services) or state/local government entities.

Plus, orgs in this category might as well align with the SSDF now because compliance will soon be mandated by regulators and/or customers.

“If we’re talking about organizations selling to the government right now, or that will be in the future, even if they don’t fall into this [mandated] category now, they eventually will,” notes Elzar. “I don’t want to make it sound like they’re talking [only] about critical software. The goal is to have [SSDF compliance] with any piece of software the government procures.”

Private sector adoption is coming

Unlike the CMMC program, for example, which currently applies mainly to the defense supply chain, the drive for secure software has applied across the entire US federal government from the outset. This inevitably means the private sector will increasingly demand SSDF compliance or alignment from its software suppliers as well.

“If you’re producing software, whether it’s incorporated into a larger application or something you’re selling direct to the government, the SSDF is something that you should be aware of,” asserts Elzar. “It also allows you to start now with proactively identifying, ‘Okay, this is the way that we’re going.’”

Elzar emphasizes: “The whole concept of shifting left is being pushed out by the government. It’s going to be adopted by the private sector more and more. It’s something that organizations need to do to stay competitive. It comes down to not just first to market, but also having a secure product that’s first to market. I think that’s going to hopefully become more the norm in the future.”

John responds that a Pivot Point Security client that produces a “healthcare device” is already being asked about SSDF compliance and whether they can produce a Software Bill of Materials (SBOM).

“They’re not in the government food chain and this isn’t a government entity that’s asking them this,” elaborates John. “It’s a healthcare entity that’s asking them this.”

This is the leading edge of a huge wave.

“I think there’s a general recognition of the potential import of [SSDF],” observes John. “If you are producing software or you’re producing a device that has software on it, you probably should be cognizant of the SSDF.”

Due diligence for software consumers

Another beneficial application for the SSDF is for orgs that consume software to gain greater assurance and awareness about the maturity of their vendors’ software security programs.

“Ask them about their SDLC, ask them if they are SSDF compliant, ask them if they can produce an SBOM,” John suggests. “We’re recommending to our clients already that they add these types of [due diligence] into their third-party risk management practices.”

Using renewed focus on Zero Trust as an example, Elzar points out: “The government is like an amplifier for a lot of these things. They’re not always in front. But when they get there and they start to talk about things, it tends to bring more attention to it. … People are asking more questions around a concept because it’s getting more publicity.”

Coming right up

When you start seeing cybersecurity guidelines in government contracts, the rubber has met the road. So, when will SSDF compliance become mainstream across USG software procurement?

SSDF V1.1 was finalized in February 2022. In March 2022, the Office of Management and Budget (OMB) began requiring federal agencies to adopt the SSDF, including implementing it within their risk profiles and their mission plans. Also in March 2022, the OMB announced that it would begin working with the private sector on SSDF compliance and attestation requirements, with a 60-day finalization timeframe.

“Everybody right now is just waiting for OMB to really be clear on how and when companies have to really attest to [SSDF compliance],” Elzar clarifies. “I think the best guess is that by the end of the year it’s going to be maybe required in some of the bigger contracts. Or OMB might come out and say, ‘Okay, by this time you need to be compliant.’”

Compliance will likely start with critical software contracts and expand out from there to eventually apply across the board to all USG software purchases. Similar to what’s being seen around the CMMC program, prime contractors will start “flowing down” SSDF requirements into their supply chains even faster than the government is moving.

“The primes are going to start putting a little more pressure on the subcontractors, like, ‘Hey, you need to start aligning your programs [with SSDF] if you’re developing software on our behalf,” advises Elzar. “I think you might start seeing a lot more of that type of activity, probably toward the end of this year.”

What’s next?

When you’re ready to hear this show from start to finish, click here.

Interested in “business-friendly” advice on how to start building a software security program? This podcast with thought leader Jim Manico offers just that: EP#19 – Jim Manico – Why Application Security is a Team Sport and How Your Team Will Win

Free OWASP ASVS Testing Guide

If you are just learning about OWASP’s testing standard or are considering the best way to prove the security of an application, this guide is meant for you!