Automate NIST compliance and SSDF attestation

NIST has published many documents about the security of the software development process.  Some are general best practices, while others define specific controls.  Many of these documents build on each other or are interrelated.

These controls or best practices may then be made mandatory in certain circumstances, such as in FedRAMP or in meeting coming requirements for software publishers to attest to secure software practices that meet the Secure Software Development Framework (SSDF). Some publications address the specific concerns of software delivered via containers.

• NIST 800-53 – Security and Privacy Controls for Information Systems and Organizations: This document is often known as a “control catalog” and provides many of the baseline controls that other documents and standards rely on.

• NIST SP 800-161 Rev. 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations: This document lays out best practices for software supply chain security.

• NIST 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations: This document outlines security requirements derived from FIPS 200 and NIST 800-53 based on CUI regulations.  These requirements apply to all components of systems created by software publishers that process, store, or transmit CUI.

• FIPS 200 Minimum Security Requirements for Federal Information and Information Systems: This document defines the minimum security requirements for federal information systems. Federal agencies are required to meet the minimum security requirements defined in this standard through the use of the security controls in NIST 800-53.

• NIST 800-190 – Application Container Security Guide: Makes recommendations for addressing security for containers and indicates which controls of 800-53 apply to containers.

• NIST 800-218 Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities: Defines best practices for software supply chain security and maps those best practices to subsections of the Executive Order on Improving the Nation’s Cybersecurity.  Many of the best practices are, in turn, based on other standards like NIST 800-53, NIST, NIST 800-161, and NIST 800-181.

The US government will soon require software publishers that sell on-premise software or SaaS to the federal government to attest that they follow a list of security practices in their software development via the Secure Software Development Attestation Form.  

This will be a critical requirement for any organization selling to the US federal government. The form must be signed by the CEO or designee. In place of self-attestation, companies may also provide assessments prepared by certified FedRAMP Third Party Assessor Organizations (“3PAO”).

The form is a draft, and public comments have already been collected. Once the form is finalized, software publishers will have 3 to 6 months to provide attestations, depending on the software’s criticality.

One of the attestation’s requirements is that “the software producer maintains provenance data for internal and third-party code incorporated into the software.” Most experts believe that an SBOM will be necessary to fulfill that requirement since you must first know what software components are included and maintain provenance data. In addition, particular agencies may require you to supply the SBOM along with the attestation. 

Your organization should be prepared to generate, collect, store, and manage SBOMs.

The President’s Executive Order (EO) on Improving the Nation’s Cybersecurity (14028), issued on May 12, 2021, is focused on protecting US government systems from cyber threats and malicious actors. The EO charged multiple agencies—including NIST—with enhancing cybersecurity through various initiatives related to the security and integrity of the software supply chain.

NIST 800-218, also known as the Secure Software Development Framework (SSDF), defines best practices for software supply chain security and maps those best practices to subsections of the EO.  Many of the best practices are based on other standards like NIST 800-53, NIST, NIST 800-161, and NIST 800-181.

NIST 800-53 is a foundational standard known as a “control catalog” and provides many of the baseline controls that other documents and standards rely on. 

Get a handle on the essential things to know about NIST 800-53 in this webinar.

DoD documentation relating to DevSecOps software factories is aligned to the controls specified in NIST 800-53 (Security and Privacy Controls for Federal Information Systems and Organizations), NIST SP 800-37 (Risk Management Framework for Information Systems and Organizations), and NIST SP 800-190 (Application Container Security Guide).