Secure Software Development Framework (SSDF) Version 1.1

1 Withdrawn Draft Warning Notice The attached draft document has been withdrawn, and is provided solely for historical purposes. It has been superseded by the document identified below. Withdrawal Date February 3, 2022 Original Release Date September 30, 2021 Superseding Document Status Final Series/Number NIST Special Publication 800-218 Title Secure Software Development Framework (SSDF) Version : Recommendations for Mitigating the Risk of Software Vulnerabilities Publication Date February 2022 DOI CSRC URL Additional Information Draft NIST Special Publication 800-218 1 Secure Software Development 2 Framework (SSDF) Version : 3 Recommendations for Mitigating the Risk of Software 4 Vulnerabilities 5 6 Murugiah Souppaya 7 Karen Scarfone 8 Donna Dodson 9 10 11 12 13 This publication is available free of charge from: 14 15 16 17 18 19 Draft NIST Special Publication 800-218 20 Secure Software Development 21 Framework (SSDF) Version : 22 Recommendations for Mitigating the Risk of Software 23 Vulnerabilities 24 Murugiah Souppaya 25 Computer Security Division 26 Information Technology Laboratory 27 28 Karen Scarfone 29 Scarfone Cybersecurity 30 Clifton, VA 31 32 Donna Dodson* 33 * Former NIST employee; all work for this publication was done while at NIST.

2 34 35 36 This publication is available free of charge from: 37 38 39 40 September 2021 41 42 43 44 45 Department of Commerce 46 Gina M. Raimondo, Secretary 47 48 National Institute of Standards and Technology 49 James K. Olthoff, Performing the Non-Exclusive Functions and Duties of the Under Secretary of Commerce 50 for Standards and Technology & Director, National Institute of Standards and Technology 51 Authority 52 This publication has been developed by NIST in accordance with its statutory responsibilities under the 53 Federal Information Security Modernization Act (FISMA) of 2014, 44 3551 et seq., Public Law 54 ( ) 113-283.

3 NIST is responsible for developing information security standards and guidelines, including 55 minimum requirements for federal information systems, but such standards and guidelines shall not apply 56 to national security systems without the express approval of appropriate federal officials exercising policy 57 authority over such systems. This guideline is consistent with the requirements of the Office of Management 58 and Budget (OMB) Circular A-130. 59 Nothing in this publication should be taken to contradict the standards and guidelines made mandatory and 60 binding on federal agencies by the Secretary of Commerce under statutory authority.

4 Nor should these 61 guidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce, 62 Director of the OMB, or any other federal official. This publication may be used by nongovernmental 63 organizations on a voluntary basis and is not subject to copyright in the United States. Attribution would, 64 however, be appreciated by NIST. 65 National Institute of Standards and Technology Special Publication 800-218 66 Natl. Inst. Stand. Technol. Spec. Publ. 800-218, 31 pages (September 2021) 67 CODEN: NSPUE2 68 This publication is available free of charge from: 69 70 Certain commercial entities, equipment, or materials may be identified in this document in order to describe an 71 experimental procedure or concept adequately.

5 Such identification is not intended to imply recommendation or 72 endorsement by NIST, nor is it intended to imply that the entities, materials, or equipment are necessarily the best 73 available for the purpose. 74 There may be references in this publication to other publications currently under Development by NIST in accordance 75 with its assigned statutory responsibilities. The information in this publication, including concepts and methodologies, 76 may be used by federal agencies even before the completion of such companion publications. Thus, until each 77 publication is completed, current requirements, guidelines, and procedures, where they exist, remain operative.

6 For 78 planning and transition purposes, federal agencies may wish to closely follow the Development of these new 79 publications by NIST. 80 Organizations are encouraged to review all draft publications during public comment periods and provide feedback to 81 NIST. Many NIST cybersecurity publications, other than the ones noted above, are available at 82 83 Public comment period: September 30, 2021 through November 5, 2021 84 National Institute of Standards and Technology 85 Attn: Computer Security Division, Information Technology Laboratory 86 100 Bureau Drive (Mail Stop 8930) Gaithersburg, MD 20899-8930 87 Email: 88 All comments are subject to release under the Freedom of Information Act (FOIA).

7 89 NIST SP 800-218 (DRAFT) SSDF Version ii Reports on Computer Systems Technology 90 The Information Technology Laboratory (ITL) at the National Institute of Standards and 91 Technology (NIST) promotes the economy and public welfare by providing technical 92 leadership for the Nation s measurement and standards infrastructure. ITL develops tests, test 93 methods, reference data, proof of concept implementations, and technical analyses to advance 94 the Development and productive use of information technology. ITL s responsibilities include the 95 Development of management, administrative, technical, and physical standards and guidelines for 96 the cost-effective security and privacy of other than national security-related information in 97 federal information systems.

8 The Special Publication 800-series reports on ITL s research, 98 guidelines, and outreach efforts in information system security, and its collaborative activities 99 with industry, government, and academic organizations. 100 Abstract 101 Few Software Development life cycle (SDLC) models explicitly address Software security in 102 detail, so Secure Software Development practices usually need to be added to each SDLC model 103 to ensure that the Software being developed is well-secured. This document recommends the 104 Secure Software Development Framework (SSDF) a core set of high-level Secure Software 105 Development practices that can be integrated into each SDLC implementation.

9 Following these 106 practices should help Software producers reduce the number of vulnerabilities in released 107 Software , mitigate the potential impact of the exploitation of undetected or unaddressed 108 vulnerabilities, and address the root causes of vulnerabilities to prevent future recurrences. 109 Because the Framework provides a common vocabulary for Secure Software Development , 110 Software purchasers and consumers can also use it to foster communications with suppliers in 111 acquisition processes and other management activities. 112 Keywords 113 Secure Software Development ; Secure Software Development Framework (SSDF); Secure 114 Software Development practices; Software acquisition; Software Development ; Software 115 Development life cycle (SDLC); Software security.

10 116 Trademark Information 117 All registered trademarks or trademarks belong to their respective organizations. 118 NIST SP 800-218 (DRAFT) SSDF Version iii Acknowledgments 119 The authors thank all of the organizations and individuals who provided input for this update to 120 the SSDF. In response to Section 4 of Executive Order (EO) 14028 on Improving the Nation s 121 Cybersecurity, NIST held a June 2021 workshop and received over 150 position papers, many 122 of which suggested Secure Software Development practices, tasks, examples of implementations, 123 and references for consideration for this SSDF update. The authors appreciate all of those 124 suggestions, as well as the inputs from those who spoke at the workshop or attended the 125 workshop and shared their thoughts during or after the workshop.