What is NIST 800-218, the Secure Software Development Framework (SSDF)?

In March 2023, the White House published the National Cybersecurity Strategy. In July, the White House followed that up with the National Cybersecurity Strategy Implementation Plan.

As we wrote in a blog post earlier this year:

“With the introduction of the National Cybersecurity Strategy earlier this year, the US Government has started to use its influence and buying power to alter the behavior of all software producers. The US Government is the world’s largest consumer of IT products and services in dollars. It appears they will be using that buying power to add additional cybersecurity requirements for all software purchased. Companies will be faced with the options of changing their behavior or walking away from selling to the federal government.

The National Cybersecurity Strategy makes the case that there must be a shift of the burden for cybersecurity from the consumers of software to the producers of software. One of the requirements they are implementing is that all software vendors attest that they developed their software in accordance with NIST 800-218, the Secure Software Development Framework, or SSDF.”

Companies providing software to government customers need to certify that their development process meets certain standards known as the Secure Software Development Framework (SSDF).

The Secure Software Development Framework (SSDF) is composed of “fundamental, sound, and secure recommended practices based on established secure software development practice documents” and organized into four groups:

• Prepare the Organization (PO): Ensure that people, processes, and technology are prepared to perform secure software development at the organization level.
• Protect the Software (PS): Protect all components of the software from tampering and unauthorized access.
• Produce Well-Secured Software (PW): Produce well-secured software with minimal security vulnerabilities in its releases.
• Respond to Vulnerabilities (RV): Identify residual vulnerabilities in software releases and respond appropriately to address those vulnerabilities and prevent similar ones in the future.

What CEOs Need to Do Right Now

1. Understand the Requirements: Familiarize yourself with NIST 800-218 and the SSDF.
2. Designate a Responsible Leader: Assign a high-level leader, such as the CISO, to oversee SSDF compliance.
3. Conduct an Internal Audit: Ensure your software development lifecycle (SDLC) aligns with SSDF practices.
4. Leverage Tools: Use tools like Checkmarx One and Codebashing to meet SSDF standards.
5. Sign the Attestation Form: Verify the security practices and sign the Secure Software Development Attestation Form.

Taking these steps will help secure your software development processes and maintain your business relationship with the federal government.

What NIST 800-218 Requires

NIST 800-218 is not strictly a compliance requirement but rather a set of best practices. The Secure Software Development Framework (SSDF) Is a core set of high-level secure software development practices that can be integrated into each SDLC implementation.

So, it isn’t a compliance framework—it’s a set of principles that should be followed. This is an important distinction since Checkmarx supports the implementation of many of those practices.

Why Now?

On March 11th, the Cybersecurity and Infrastructure Security Agency (CISA) released a critical form—the Secure Software Development Attestation Form. This stems from government mandates (OMB memorandums M-22-18 and M-23-16) aiming to improve software security for government use.

The form requires a signature from a high-level leader within your software company, potentially the CEO. The deadline is coming up fast!

Submitting false information is a crime. Simply checking “yes” to all questions without truly adhering to secure development is a risky strategy.

This is the opportunity for CEOs to verify with their teams if they are managing their SDLC securely and maturing their security practices.

The Attestation Form has a short list of basic software security requirements which are a small subset of the NIST Secure Software Development Framework (SSDF). It has examples for each task to simplify the requirements, which are sometimes less straightforward for CEOs.

CEOs and CISOs should audit their requirements, replacing the examples in the Attestation Form with their own material.

This form signifies a growing focus on secure software development within the government sector. Understanding these requirements and taking them seriously is crucial for companies doing business with the American federal government.

According to the press release from CISA, this is “a critical step towards ensuring software producers who work with Government provide securely developed products” and “furthers the President’s National Cybersecurity Strategy, which made clear that the “most capable and best-positioned actors in cyberspace must be better stewards of the digital ecosystem.””

How Checkmarx One Can Help Achieve Compliance

Checkmarx products and services help organizations meet the requirements of the SSDF.

Checkmarx’s Assessment and Advisory services, in particular the APMA framework, can help identify gaps and create an actionable workplan to improve your AppSec program.

We have mapped where specific requirements of NIST 800-218 align with the APMA framework, so you can be confident that your AppSec program meets the SSDF standards. The practices are implemented through a combination of tools such as Checkmarx One, in conjunction with the relevant processes and procedures being put into place.

We previously laid out which of these requirements are supported by Checkmarx.

Checkmarx One supports many of these regulations with a comprehensive AppSec platform that provides differentiated users and roles, full records and audits of activities, and comprehensive security controls across the entire SDLC—from SAST and SCA to API Security, Container Security, Infrastructure as Code, and more.

Here are just a few examples of how Checkmarx helps organizations meet SSDF’s requirements:

• PO.2.2: Role-based training for personnel with responsibilities that contribute to secure development. Checkmarx Codebashing directly supports PO.2.2 by offering developers constantly updated secure code training.
• PS.3.2: Collecting, safeguarding, maintenance, and sharing of data for all components in each software release, such as in a software bill of materials (SBOM). Checkmarx supports this with Checkmarx SBOM, designed to meet these compliance challenges head-on and provide an automated and efficient solution for generating and maintaining SBOMs.
• PW.5: Source code adherence to secure coding practices. Checkmarx SAST can automatically scan your application’s source code, identify vulnerabilities, and even automatically remediate it at a click of a button. Developers can get real-time feedback on their code to ensure it meets secure coding practices.

If you have any questions or would like to have a deeper discussion on implementation in support of SSDF, please contact us.