Today Anchore is releasing an update to its NIST Policy Pack that can help customers achieve NIST 800-218 SSDF compliance. This policy pack can be imported into a running Anchore Enterprise instance and checks the technical controls that apply to applications, containers, and environments.
The Executive Order on Improving the Nation’s Cybersecurity sets out expectations for NIST to provide guidance on how to improve the security of software development. That order was given in early 2021 and we saw the guidance come to fruition in late 2022. The secure development recommendations in this order resulted in creation of the Secure Software Development Framework (SSDF) – a set of secure software development guidance created by NIST and formalized as NIST 800-218. The intention of this standard is anyone conducting business with the government will follow this guidance.
The idea of securing the software supply chain has been gaining momentum over the past few years, but how to do this isn’t always clear. If you have been watching the supply chain space, the guidance often lacks concrete details, and can be conflicting with itself. NIST is the gold standard when it comes to clearly defining a compliance standard and making sure the various controls are easy to understand and implement. The SSDF is a great example of NIST taking a poorly defined concept and putting well defined actions behind it.
We can expect many U.S. Federal agencies and regulated industries to mandate that their software and service vendors comply with the controls spelled out in the SSDF in the coming years. It’s common for new standards to take some time to catch on, SSDF will be no different. This gives the rest of us time to understand and comply with the standard.
Anchore Enterprise has a robust policy engine that is used today by many customers to stay in compliance with standards such as CIS and FedRAMP using predefined policy packs created by Anchore.
Anchore has updated its NIST Policy Pack to incorporate the controls recommended by the SSDF as part of NIST 800-218. The new controls include steps such as inspecting for malware and secrets, scanning for known vulnerabilities, and generating software bills of materials (SBOM). This policy pack doesn’t meet every control specified by the SSDF. Some controls cannot be automatically detected, such as training requirements and development practices. However, the controls that apply to the technical content of a project are things we detect. This new policy compliments pre-existing support for NIST 800-53 and NIST 800-190. In addition, the NIST Policy Pack includes support for detecting packages included in the CISA Known Exploited Vulnerabilities (KEV) catalog.
By using the NIST Policy Pack with controls for the SSDF, Anchore Enterprise customers can automate the enforcement of NIST’s recommendations, alerting application developers or security engineers to failures as software is being developed and built instead of during a compliance audit. Anchore’s reporting capabilities enable security teams to demonstrate their level of compliance as part of formal reporting requirements. By automating SSDF controls checks and enforcement, time needed to prove compliance can be reduced.
Those interested in learning more about the NIST Policy Pack can visit our federal compliance web page here or request a demo for an interactive view of the new features.