NIST SP 800-218 represents a watershed moment for every organization that supplies software and software services to the United States government. Under these guidelines, suppliers are required to implement secure software development practices throughout the Software Development Life Cycle (SDLC), with the goal of reducing security vulnerabilities and malicious interventions.
Section 4 of US Executive Order 14028, Improving the Nation’s Cybersecurity charges the US National Institute of Standards and Technology (NIST) with identifying standards, tools, and practices for securing the software supply chain and establishing guidelines for doing so based on input from both public and private sectors.
NIST’s Secure Software Development Framework (SSDF) promotes transparency and tamper-resistant measures to reduce the risk of malicious intervention and exposure to vulnerabilities in the Software Development Lifecycle. In our view, these are primarily:
- Validating artifact and data integrity
- Digitally signing software artifacts
- Collecting evidence for all critical changes during the software life cycle
- Validating the provenance of every component in a software artifact
Security experts consider that tracking all files from the source control through the build, verifying that there is no unintended change by comparing file hash values, and tracking new files and the integrity of the tools in the toolchain are all useful in reducing the risk of malicious intervention in software products. These tools work in tandem with collecting evidence on each step of your process and signing that evidence, making it an immutable attestation.
The essence of these guidelines is the adoption of a risk-based approach that determines mitigations to threats for a particular software’s development life cycle. You define your security guidelines according to your own risk assessments and then continually apply those rules to all parts of your processes.
It is certainly not too early to take steps to improve your security posture in order to facilitate compliance with these regulatory changes. Moreover, preparing in advance for the implementation of NIST SP 800-218 will allow you to more thoroughly and comfortably identify the actions you must undertake and their impact on your people and processes.
These measures may not only position you to more readily comply with the new regulations, but can also significantly improve your product security posture and enhance your company’s business reputation today and in the future.
To learn more about the changing regulations and what specific security measures we suggest you start with, check out our full whitepaper on the SSDF.