Security Engineering Briefing — NIST Releases SSDF 1.1
NIST published version 1.1 of Special Publication 800-218 on February 4, 2022, expanding the Secure Software Development Framework with supply-chain attestation and provenance practices required by U.S. government buyers.
Executive briefing: The U.S. National Institute of Standards and Technology issued SP 800-218, Secure Software Development Framework (SSDF) version 1.1 on . The update aligns with Executive Order 14028 directives and adds guidance for software supply-chain assurance.
Key updates
- Provenance and attestations. Version 1.1 introduces practices for generating software bills of materials (SBOMs) and attesting to build environment integrity.
- Dependency risk management. Organizations are instructed to inventory third-party components, assess vulnerabilities, and monitor for tampering across the lifecycle.
- Secure build environments. The framework details hardened build pipeline expectations, including access controls, logging, and segregation of duties.
Implementation guidance
- Policy alignment. Map SSDF practices to existing SDLC controls, CMMC 2.0 requirements, and customer supply-chain questionnaires.
- Tooling enablement. Integrate signing, SBOM generation, and tamper-evident logs into CI/CD workflows.
- Assurance evidence. Prepare documentation packages to support government procurement attestations and future OMB memoranda.
Enablement moves
- Run readiness assessments comparing current secure development programs against SSDF tasks.
- Coordinate with legal and sales teams on customer reporting templates referencing SSDF controls.
- Establish continuous monitoring of upstream dependencies, leveraging services like OSV, Scorecard, or Dependency Track.