NIST SP 800-218
Secure Software Development Framework (SSDF)
Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.
Framework Domains (10)
NIST SP 800-218: Access Control
Logical and physical access controls (NIST SP 800-218)
| Code | Title |
|---|---|
| SP800-218-PW.7.2 | Perform Code Review and Analysis |
| SP800-218-PW.8.2 | Execute Security Testing |
| SP800-218-PW.9.2 | Implement and Document Secure Defaults |
| SP800-218-RV.1.2 | Review and Analyze Code for Vulnerabilities |
| SP800-218-RV.1.3 | Vulnerability Disclosure Policy |
NIST SP 800-218: Asset Management
Information asset management (NIST SP 800-218)
| Code | Title |
|---|---|
| SP800-218-PW.1.2 | Track Security Requirements, Risks, and Decisions |
| SP800-218-PW.1.3 | Support Standardized Security Features |
| SP800-218-PW.2.1 | Qualified Review of Software Design |
| SP800-218-PW.4.2 | Maintain Well-Secured In-House Components |
| SP800-218-PW.6.2 | Configure Build Tool Security Features |
NIST SP 800-218: Communications Security
Network and communications security (NIST SP 800-218)
NIST SP 800-218: Cryptography
Cryptographic controls (NIST SP 800-218)
| Code | Title |
|---|---|
| SP800-218-RV.2.2 | Develop and Implement Remediation Plans |
| SP800-218-RV.3.2 | Identify and Fix Similar Vulnerabilities |
| SP800-218-RV.3.3 | Review SDLC to Prevent Recurrence |
| SP800-218-RV.3.4 | Document Lessons Learned |
NIST SP 800-218: Information Security Policies
Organizational information security policies (NIST SP 800-218)
| Code | Title |
|---|---|
| SP800-218-PO.1.3 | Communicate Requirements to Third-Party Providers |
| SP800-218-PO.2.3 | Obtain Management Commitment to Secure Development |
| SP800-218-PO.3.3 | Toolchain Generates Security Artifacts |
| SP800-218-PO.4.2 | Gather and Safeguard Security Check Information |
| SP800-218-PO.5.2 | Harden Development Endpoints |
NIST SP 800-218: Operations Security
Secure operations and monitoring (NIST SP 800-218)
Prepare the Organization
| Code | Title |
|---|---|
| SP800-218-PO.1.1 | Define Security Requirements for Software Development |
| SP800-218-PO.1.2 | Implement Security Requirements in the Toolchain |
| SP800-218-PO.2.1 | Roles and Responsibilities for Secure Development |
| SP800-218-PO.2.2 | Training and Skills Maintenance |
| SP800-218-PO.3.1 | Supporting Toolchain Selection |
| SP800-218-PO.3.2 | Toolchain Configuration and Integration |
| SP800-218-PO.4.1 | Criteria for Software Security |
| SP800-218-PO.5.1 | Secure Development Environment Implementation |
Produce Well Secured Software
| Code | Title |
|---|---|
| SP800-218-PW.1.1 | Design Software to Meet Security Requirements |
| SP800-218-PW.4.1 | Reuse Trusted Software Components |
| SP800-218-PW.4.4 | Verify Acquired Components Meet Security Requirements |
| SP800-218-PW.5.1 | Secure Coding Practices |
| SP800-218-PW.6.1 | Configure Compilation and Build Processes Securely |
| SP800-218-PW.7.1 | Code Review |
| SP800-218-PW.8.1 | Executable Testing for Security |
| SP800-218-PW.9.1 | Configure Software to Have Secure Settings by Default |
Protect the Software
| Code | Title |
|---|---|
| SP800-218-PS.1.1 | Protect All Forms of Code from Unauthorized Modification |
| SP800-218-PS.2.1 | Provide a Mechanism for Verifying Software Release Integrity |
| SP800-218-PS.3.1 | Archive and Protect Released Software |
| SP800-218-PS.3.2 | Software Bill of Materials |
Respond to Vulnerabilities
| Code | Title |
|---|---|
| SP800-218-RV.1.1 | Identify and Confirm Vulnerabilities on an Ongoing Basis |
| SP800-218-RV.2.1 | Assess, Prioritize, and Remediate Vulnerabilities |
| SP800-218-RV.3.1 | Analyze Vulnerabilities to Identify Root Causes |
Your Compliance Coverage
If you comply with NIST SP 800-218, you already cover:
NIST SP 800-53 Rev 5
95%
40 controls mapped
Compare →BSIMM
50%
21 controls mapped
Compare →PCI DSS 4.0
17%
7 controls mapped
Compare →+ 8 more: ISO 15189:2022 - Medical Laboratories Requirements for Quality and Competence (12%), SWIFT CSCF v2024 (5%)
See all 11 mapped frameworks ↓Maps to 11 other frameworks
Frequently Asked Questions
What is NIST SP 800-218?
NIST SP 800-218 is a compliance framework from United States with 10 domains and 42 controls. Secure Software Development Framework (SSDF) It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.
How many controls does NIST SP 800-218 have?
NIST SP 800-218 has 42 controls organised across 10 domains. The largest domains are Prepare the Organization (8 controls), Produce Well Secured Software (8 controls), NIST SP 800-218: Access Control (5 controls). Each control defines specific requirements that organisations must implement to achieve compliance.
What frameworks does NIST SP 800-218 map to?
NIST SP 800-218 maps to 11 other compliance frameworks. The top mapping partners are NIST SP 800-53 Rev 5 (95% coverage), BSIMM (50% coverage), PCI DSS 4.0 (17% coverage). Use our comparison tool to explore control-level mappings between frameworks.
How do I get started with NIST SP 800-218 compliance?
Start your NIST SP 800-218 compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about NIST SP 800-218 requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 42 controls and track your progress.
Start Your Compliance Journey
Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 700 frameworks.
Get Started Free →Free forever — no credit card required