NIST SP 800-218 Secure Software Development Framework (SSDF)
NIST SP 800-218 Secure Software Development Framework v1.1.
Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.
Framework Domains (4)
PO - Prepare the Organization
| Code | Title |
|---|---|
| PO.1.1 | Define Secure Software Development Policies |
| PO.1.2 | Roles and Responsibilities |
| PO.1.3 | Communicate requirements to third parties providing commercial software components |
| PO.2.1 | Workforce Training |
| PO.2.2 | Provide role-based training for SDLC personnel |
| PO.2.3 | Foster a security-focused culture and management commitment |
| PO.3.1 | Toolchain Selection and Implementation |
| PO.3.2 | Toolchain Security and Monitoring |
| PO.3.3 | Configure tools to generate artifacts of provenance for audit |
| PO.4.1 | Security Metrics and Measurement |
| PO.4.2 | Implement processes, mechanisms, etc. to collect and analyze information for criteria |
| PO.5.1 | Secure Software Development Environments |
| PO.5.2 | Secure and harden development endpoints |
PS - Protect the Software
| Code | Title |
|---|---|
| PS.1.1 | Protect Source Code Integrity |
| PS.2.1 | Software Release Integrity Verification |
| PS.3.1 | Archive and Protect Each Release |
| PS.3.2 | Software Bill of Materials (SBOM) |
PW - Produce Well-Secured Software
| Code | Title |
|---|---|
| PW.1.1 | Design Software for Security |
| PW.1.2 | Track and maintain the software's security requirements, risks, and design decisions |
| PW.1.3 | Reuse existing, well-secured software when feasible |
| PW.2.1 | Review and Approve Security Requirements |
| PW.4.1 | Reuse Existing, Well-Secured Software |
| PW.4.2 | Create well-secured software components in-house following SDLC processes |
| PW.4.4 | Verify acquired commercial, open-source, and other third-party software components |
| PW.5.1 | Create Source Code Following Secure Coding Practices |
| PW.6.1 | Configure Compilation and Build Processes |
| PW.6.2 | Determine which compiler, interpreter, and build tool features should be used and how each should be configured |
| PW.7.1 | Review and Analyse Human-Readable Code |
| PW.7.2 | Perform the code review and/or code analysis based on the organization's secure coding practices |
| PW.8.1 | Test Executable Code |
| PW.8.2 | Scope the testing, design the tests, perform the testing, and document the results |
| PW.9.1 | Configure Software with Secure Defaults |
| PW.9.2 | Implement the default settings (or groups of default settings) and document them |
RV - Respond to Vulnerabilities
| Code | Title |
|---|---|
| RV.1.1 | Identify and Confirm Vulnerabilities on an Ongoing Basis |
| RV.1.2 | Review, analyze, and/or test the software's code to identify or confirm vulnerabilities |
| RV.1.3 | Have a policy that addresses vulnerability disclosure and remediation |
| RV.2.1 | Assess, Prioritise, and Remediate Vulnerabilities |
| RV.2.2 | Develop and implement a remediation plan for each vulnerability |
| RV.3.1 | Analyse Vulnerabilities to Identify Root Causes |
| RV.3.2 | Analyze the root causes over time to identify patterns |
| RV.3.3 | Review the SDLC to identify changes that could prevent root causes recurring |
| RV.3.4 | Inform stakeholders about vulnerabilities, mitigations, and lessons learned |
Frequently Asked Questions
What is NIST SP 800-218 Secure Software Development Framework (SSDF)?
NIST SP 800-218 Secure Software Development Framework (SSDF) is a compliance framework from United States with 4 domains and 42 controls. NIST SP 800-218 Secure Software Development Framework v1.1. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.
How many controls does NIST SP 800-218 Secure Software Development Framework (SSDF) have?
NIST SP 800-218 Secure Software Development Framework (SSDF) has 42 controls organised across 4 domains. The largest domains are PW - Produce Well-Secured Software (16 controls), PO - Prepare the Organization (13 controls), RV - Respond to Vulnerabilities (9 controls). Each control defines specific requirements that organisations must implement to achieve compliance.
What frameworks does NIST SP 800-218 Secure Software Development Framework (SSDF) map to?
NIST SP 800-218 Secure Software Development Framework (SSDF) does not currently have cross-framework mappings in our system. Check back as we continuously expand our mapping database.
How do I get started with NIST SP 800-218 Secure Software Development Framework (SSDF) compliance?
Start your NIST SP 800-218 Secure Software Development Framework (SSDF) compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about NIST SP 800-218 Secure Software Development Framework (SSDF) requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 42 controls and track your progress.
Start Your Compliance Journey
Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 768 frameworks.
Get Started Free →Free forever — no credit card required