As part of its effort to support cybersecurity, the U.S. Department of Commerce's National Institute of Standards and Technology (NIST) will host a virtual workshop on November 8, 2021, at 1:00 p.m. ET, on Executive Order (EO) 14028, Guidelines for Enhancing Software Supply Chain Security Including Standards, Procedures, and Criteria. Expert speakers will share their insights on secure software development tools and processes, and examine specific secure software development practices.
The workshop will provide a deeper look into the approach that NIST is taking to support Section 4e of President Biden’s EO on improving the nation’s cybersecurity, which was issued in May 2021.
Section 4e directs the Secretary of Commerce, acting through the Director of NIST, in consultation with the heads of such agencies as the Director of NIST deems appropriate, to issue guidance identifying practices that enhance the security of the software supply chain. (Read how organizations, including the ANSI National Accreditation Board (ANAB) supported EO Section 4 in response to NIST’s call for position papers on standards and guidelines this year).
NIST’s response to the EO, the new draft publication published in September 2021, Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities, is a set of fundamental, sound practices for secure software development based on established standards and guidelines produced by various organizations. The draft recommends a core set of “high-level secure software development practices called the SSDF that can be integrated within each system development life cycle (SDLC) implementation.” NIST reports that following these practices “should help software producers reduce the number of vulnerabilities in released software, mitigate the potential impact of the exploitation of undetected or unaddressed vulnerabilities, and address the root causes of vulnerabilities to prevent future recurrences.” Additionally, the SSDF directly addresses several practices that were called out in Section 4e, and provides a starting point for discussing other practices that Section 4e specifies.
To support the discussion, NIST is soliciting input about the types of meaningful artifacts of secure software development that software producers can share publicly in the form of self-declaration and attestation.
Access more information and register for the free NIST event.