SDLC governance briefing — NIST updates the Secure Software Development Framework
NIST released version 1.1 of the Secure Software Development Framework on 4 February 2022, refining practices agencies expect vendors to follow for code integrity, verification, and incident response.
What happened: NIST CSWP 1.1 clarified tasks for secure software design, verified builds, and vulnerability disclosure aligned to Executive Order 14028 mandates.
- Process alignment: Map existing SDLC controls to SSDF practices, identifying gaps in threat modelling, secure coding training, and code review.
- Build integrity: Document tamper-resistant build pipelines and artifact signing to satisfy SSDF requirements.
- Incident readiness: Ensure coordinated vulnerability disclosure processes align with SSDF Respond functions.
Next steps: Update policy documentation, train engineering leads on SSDF tasks, and capture objective evidence ahead of procurement attestations.