Home / NIST & SSDF Compliance

Automate NIST compliance and SSDF attestation

Software companies that sell to the US government will soon be required to attest that they follow secure software development practices.

    • Automate compliance checks for NIST standards. 
    • Ensure you meet the requirements for SSDF attestation.
    • Easily handle the unique challenges of containerized software.

Satisfy compliance for NIST and SSDF attestation

Companies that sell software to governments or regulated industries need robust software security programs. Software companies will also soon be required to attest to the US government that they follow secure software development practices.

Anchore Enterprise provides tools to automate various NIST standards and controls, including NIST 800-171, NIST 800-53, NIST 800-190, and NIST 800-218 Secure Software Development Framework. This includes:

  • NIST Policy Pack
    • Anchore Enterprise enables you to enforce controls for NIST 800-53 and 800-190 out of the box. Additionally, demonstrate compliance with controls from the Secure Software Development Framework as codified in NIST 800-218.
  • Runtime Continuous Monitoring
    • Integrate Anchore Enterprise into your runtime environment to detect NIST & SSDF attestation compliance violations against your production clusters. Support with EKS, ECS, GKE, AKS, OpenShift, and Rancher.
  • Reporting
    • Use Anchore Enterprise’s automated reports to generate documents on your NIST & SSDF attestation compliance status for your 3PAO.
  • Integration with major platforms
    • Integrate Anchore Enterprise with common DevOps platforms such as GitLab, GitHub, or Jenkins to enable shift-left security and compliance checks in CI/CD.

Learning Center: What is NIST 800-53

NIST 800-53, the “Control Catalog”, is a landmark federal compliance standard. In this webinar we distill the most important aspects of the standard. Join Anchore’s VP of Security to learn about the five critical points to know about achieving compliance.


Automate NIST controls

Anchore Enterprise out-of-the-box NIST policy packs automate the checks for NIST 800-171, NIST 800-53, NIST 800-190, and NIST 800-218. Access pass/fail reports of results. Get notified of failures.


Prepare for SSDF attestation

The US government will require SSDF attestation. Automate SSDF controls with an out–of–the–box policy pack for NIST 800-218. Get alerted of issues.


Vulnerability scanning

Automate vulnerability monitoring and scanning for containerized software. Perform scans in CI/CD pipelines, registries, and Kubernetes platforms. Identify malware, secrets, and other security risks.


Continuous monitoring

Automate continuous monitoring (ConMon) of production environments. Automatically inventory container images running in Kubernetes, identify vulnerabilities, analyze NIST controls, and alert on violations.


Track software provenance with SBOMs

Discover software components and generate a software bill of materials (SBOM). Ingest SBOMs from 3rd parties. Store and manage SBOMs for an audit trail. Generate an application SBOM to share with customers.


This webinar will explain what SSDF is and why it’s more of a journey than a simple checking of the box. Get a real-world perspective on secure software development. An understanding of what actual organizations are doing right now with SSDF and how to start your own journey towards SSDF compliance.


NIST and SSDF Compliance FAQs

Chevron icon What NIST standards are required for software sold to the US government?

NIST has published many documents about the security of the software development process.  Some are general best practices, while others define specific controls.  Many of these documents build on each other or are interrelated.

These controls or best practices may then be made mandatory in certain circumstances, such as in FedRAMP or in meeting coming requirements for software publishers to attest to secure software practices that meet the Secure Software Development Framework (SSDF). Some publications address the specific concerns of software delivered via containers.

This document is often known as a “control catalog” and provides many of the baseline controls that other documents and standards rely on. 

This document lays out best practices for software supply chain security.

This document outlines security requirements derived from FIPS 200 and NIST 800-53 based on CUI regulations.  These requirements apply to all components of systems created by software publishers that process, store, or transmit CUI.

This document defines the minimum security requirements for federal information systems. Federal agencies are required to meet the minimum security requirements defined in this standard through the use of the security controls in NIST 800-53.

Makes recommendations for addressing security for containers and indicates which controls of 800-53 apply to containers.

Defines best practices for software supply chain security and maps those best practices to subsections of the Executive Order on Improving the Nation’s Cybersecurity.  Many of the best practices are, in turn, based on other standards like NIST 800-53, NIST, NIST 800-161, and NIST 800-181.

Chevron icon What is SSDF attestation, and do I need to worry about it?

The US government will soon require software publishers that sell on-premise software or SaaS to the federal government to attest that they follow a list of security practices in their software development via the Secure Software Development Attestation Form.  

This will be a critical requirement for any organization selling to the US federal government. The form must be signed by the CEO or designee. In place of self-attestation, companies may also provide assessments prepared by certified FedRAMP Third Party Assessor Organizations (“3PAO”).

The form is a draft, and public comments have already been collected. Once the form is finalized, software publishers will have 3 to 6 months to provide attestations, depending on the software’s criticality.

Chevron icon Is an SBOM required for SSDF attestation?

One of the attestation’s requirements is that “the software producer maintains provenance data for internal and third-party code incorporated into the software.” Most experts believe that an SBOM will be necessary to fulfill that requirement since you must first know what software components are included and maintain provenance data. In addition, particular agencies may require you to supply the SBOM along with the attestation. 

Your organization should be prepared to generate, collect, store, and manage SBOMs.

Chevron icon What is the Executive Order, and how does it relate to SSDF and NIST 200-18?

The President’s Executive Order (EO) on Improving the Nation’s Cybersecurity (14028), issued on May 12, 2021, is focused on protecting US government systems from cyber threats and malicious actors. The EO charged multiple agencies—including NIST—with enhancing cybersecurity through various initiatives related to the security and integrity of the software supply chain.

NIST 800-218, also known as the Secure Software Development Framework (SSDF), defines best practices for software supply chain security and maps those best practices to subsections of the EO.  Many of the best practices are based on other standards like NIST 800-53, NIST, NIST 800-161, and NIST 800-181.

Chevron icon What is NIST 800-53, and why is it important?

NIST 800-53 is a foundational standard known as a “control catalog” and provides many of the baseline controls that other documents and standards rely on. 

Get a handle on the essential things to know about NIST 800-53 in this webinar.

Chevron icon What is SSDF attestation, and do I need to worry about it?

DoD documentation relating to DevSecOps software factories is aligned to the controls specified in NIST 800-53 (Security and Privacy Controls for Federal Information Systems and Organizations), NIST SP 800-37 (Risk Management Framework for Information Systems and Organizations), and NIST SP 800-190 (Application Container Security Guide).

Learn more about solutions for federal compliance

Federal Compliance

Automate compliance checks using out-of-the-box and custom policies.

Open Source Security

Improve open source security by easily tracking direct and transitive open source dependencies to identify and fix vulnerabilities early.

DevSecOps

Automate DevSecOps for your cloud-native software supply chain with an API-first DevSecOps solution.

Container Security Solution

Identify and remediate container security risks and monitor post-deployment for new vulnerabilities.

FedRAMP Vulnerability Scanning

Meet the new FedRAMP Vulnerability Scanning Requirements for Containers and achieve compliance faster with Anchore.

Container Vulnerability Scanning

Reduce false positives and false negatives with best-in-class signal-to-noise ratio.

Kubernetes Images Scanning

Allow or prevent deployment of images based on flexible policies and continuously monitor the inventory of insecure images running in your clusters.

Container Registry Scanning

Identify and remediate new risks and vulnerabilities as they emerge.

CI/CD Security & Compliance

Embed security and compliance into your CI/CD pipeline to uncover vulnerabilities, secrets, and malware in your automated build processes.

Software Bill of Materials

Get comprehensive visibility of your software components and ensure vulnerability accuracy with the most complete SBOM available. Generate, store, analyze, and monitor SBOMs across the application lifecycle to identify software dependencies and improve supply chain security.

Container Compliance

Automate compliance checks using out-of-the-box and custom policies.

Speak with our security experts

Learn how Anchore’s SBOM-powered platform can help secure your software supply chain.