The NIST Secure Software Development Framework (or, "SSDF", "NIST SP 800-218"), is a set of recommended practices for reducing and managing the risks of producing software. It guides how customers can approach roles and responsibilities within a software company, the day to day of how software gets built, and how to respond when vulnerabilities happen. No software will ever be bug- or vulnerability-free, so this is a practical guide on how to minimize the risk around actual code writing, as well as what to do when a vulnerability in code shows up.
Over the past few years, the U.S. government has been extremely active developing strategies, policies, and regulations with the intent of improving cybersecurity for our government and for our nation’s citizens and businesses. This work is now affecting software producers who supply software to the federal government—agencies are on a timeline that began in June 2024 for critical software and continues into September 2024. Any software company selling to the US federal government must submit an executive-signed attestation that they are following these guidelines in order to retain their government contracts. As this new more regulated approach to building software grows (see also: efforts in the EU Cybersecurity Resilience Act (CRA), FDA regulation, and NY Financial regulation), software companies will be increasingly responsible for managing their entire software supply chains. This is great for consumer protection and national security! But it is a drastic change from how software has traditionally been built.
The NIST SSDF covers all software developed internally, as well as how companies manage third party software that they consume. The attestation itself does not require that companies attest to the practices of any of the third party software though, including open source software — yet. On average, 80% of any application that a company builds is third party open source software, so any real security effort is going to tackle this from a regulatory standpoint. The EU CRA is already taking this step.
At Tidelift, we approach open source software supply chain security by partnering with maintainers to ensure that their processes meet the same set of expectations that our customers have for their internal developers. We collect attestations from upstream maintainers to create the data set for our customers that shows due diligence with what open source they use across 28 fields mapped to the NIST SSDF. We can also enable our customers with documentation on how they are prioritizing and planning for removing open source that is unsuitable for professional use.
Our customers don't have to worry about the time and energy drain of tracking down third party open source compliance, because we continuously collect and refresh this data for them!