Today Anchore is releasing an update to its NIST Policy Pack that can help customers meet NIST 800-218 SSDF compliance. This policy pack can be imported into a running Anchore Enterprise instance and checks the technical controls that apply to applications, containers, and environments.
The Executive Order on Improving the Nation’s Cybersecurity sets out expectations for NIST to provide guidance on how to improve the security of software development. That order was given in early 2021 and we saw the guidance come to fruition in late 2022. The secure development recommendations in this order resulted in creation of the Secure Software Development Framework (SSDF) - a set of secure software development guidance created by NIST and formalized as NIST 800-218. The intention of this standard is anyone conducting business with the government will follow this guidance.
The idea of securing the software supply chain has been gaining momentum over the past few years, but how to do this isn’t always clear. If you have been watching the supply chain space, the guidance often lacks concrete details, and can be conflicting with itself. NIST is the gold standard when it comes to clearly defining a compliance standard and making sure the various controls are easy to understand and implement. The SSDF is a great example of NIST taking a poorly defined concept and putting well defined actions behind it.
We can expect many U.S. Federal agencies and regulated industries to mandate that their software and service vendors comply with the controls spelled out in the SSDF in the coming years. It’s common for new standards to take some time to catch on, SSDF will be no different. This gives the rest of us time to understand and comply with the standard.
How does Anchore help with SSDF compliance
Anchore Enterprise has a robust policy engine that is used today by many customers to stay in compliance with standards such as CIS and FedRAMP using predefined policy packs created by Anchore.
Anchore has updated its NIST Policy Pack to incorporate the controls recommended by the SSDF as part of NIST 800-218. The new controls include steps such as inspecting for malware and secrets, scanning for known vulnerabilities, and generating software bills of materials (SBOM). This policy pack doesn’t meet every control specified by the SSDF. Some controls cannot be automatically detected, such as training requirements and development practices. However, the controls that apply to the technical content of a project are things we detect. This new policy compliments pre-existing support for NIST 800-53 and NIST 800-190. In addition, the NIST Policy Pack includes support for detecting packages included in the CISA Known Exploited Vulnerabilities (KEV) catalog.
Why use the NIST Policy Pack
By using the NIST Policy Pack with controls for the SSDF, Anchore Enterprise customers can automate the enforcement of NIST’s recommendations, alerting application developers or security engineers to failures as software is being developed and built instead of during a compliance audit. Anchore’s reporting capabilities enable security teams to demonstrate their level of compliance as part of formal reporting requirements. By automating SSDF controls checks and enforcement, time needed to prove compliance can be reduced.
Josh Bressers is vice president of security at Anchore where he guides security feature development for the company’s commercial and open source solutions. He serves on the Open Source Security Foundation technical advisory council and is a co-founder of the Global Security Database project, which is a Cloud Security Alliance working group that is defining the future of security vulnerability identifiers.