NIST SP 800-218 SSDF
NIST SP 800-218 Secure Software Development Framework v1.1.
Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.
Framework Domains (4)
PO - Prepare the Organization
| Code | Title |
|---|---|
| PO.1.1 | Identify and document security requirements for software development infrastructure and processes |
| PO.1.2 | Identify and document security requirements for organization-developed software |
| PO.1.3 | Communicate requirements to third parties providing commercial software components |
| PO.2.1 | Create roles and responsibilities for SDLC personnel |
| PO.2.2 | Provide role-based training for SDLC personnel |
| PO.2.3 | Foster a security-focused culture and management commitment |
| PO.3.1 | Specify which tools or tool types must be included in the toolchain |
| PO.3.2 | Deploy and maintain a secure toolchain |
| PO.3.3 | Configure tools to generate artifacts of provenance for audit |
| PO.4.1 | Define criteria for software security checks |
| PO.4.2 | Implement processes, mechanisms, etc. to collect and analyze information for criteria |
| PO.5.1 | Separate and protect each environment involved in software development |
| PO.5.2 | Secure and harden development endpoints |
PS - Protect the Software
| Code | Title |
|---|---|
| PS.1.1 | Store all forms of code based on least privilege, integrity, and provenance |
| PS.2.1 | Make software integrity verification information available to acquirers |
| PS.3.1 | Archive the necessary files and supporting data for each release |
| PS.3.2 | Collect, safeguard, maintain, and share provenance data for components |
PW - Produce Well-Secured Software
| Code | Title |
|---|---|
| PW.1.1 | Use forms of risk modeling (e.g., threat modeling, attack modeling) to design |
| PW.1.2 | Track and maintain the software's security requirements, risks, and design decisions |
| PW.1.3 | Reuse existing, well-secured software when feasible |
| PW.2.1 | Have a qualified person review the software design to confirm compliance |
| PW.4.1 | Acquire and maintain well-secured software components from commercial, open-source, and other third-party developers |
| PW.4.2 | Create well-secured software components in-house following SDLC processes |
| PW.4.4 | Verify acquired commercial, open-source, and other third-party software components |
| PW.5.1 | Follow all secure coding practices appropriate to the development languages and environment |
| PW.6.1 | Use compiler, interpreter, and build tools that offer features to improve security |
| PW.6.2 | Determine which compiler, interpreter, and build tool features should be used and how each should be configured |
| PW.7.1 | Determine whether code review and/or code analysis should be used |
| PW.7.2 | Perform the code review and/or code analysis based on the organization's secure coding practices |
| PW.8.1 | Determine whether executable code testing should be performed to find vulnerabilities |
| PW.8.2 | Scope the testing, design the tests, perform the testing, and document the results |
| PW.9.1 | Define a secure baseline by determining how to configure each setting that has an effect on security |
| PW.9.2 | Implement the default settings (or groups of default settings) and document them |
RV - Respond to Vulnerabilities
| Code | Title |
|---|---|
| RV.1.1 | Gather information from purchasers, consumers, and public sources on potential vulnerabilities |
| RV.1.2 | Review, analyze, and/or test the software's code to identify or confirm vulnerabilities |
| RV.1.3 | Have a policy that addresses vulnerability disclosure and remediation |
| RV.2.1 | Analyze each vulnerability to gather sufficient information to plan its remediation |
| RV.2.2 | Develop and implement a remediation plan for each vulnerability |
| RV.3.1 | Analyze identified vulnerabilities to determine their root causes |
| RV.3.2 | Analyze the root causes over time to identify patterns |
| RV.3.3 | Review the SDLC to identify changes that could prevent root causes recurring |
| RV.3.4 | Inform stakeholders about vulnerabilities, mitigations, and lessons learned |
Frequently Asked Questions
What is NIST SP 800-218 SSDF?
NIST SP 800-218 SSDF is a compliance framework from United States with 4 domains and 42 controls. NIST SP 800-218 Secure Software Development Framework v1.1. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.
How many controls does NIST SP 800-218 SSDF have?
NIST SP 800-218 SSDF has 42 controls organised across 4 domains. The largest domains are PW - Produce Well-Secured Software (16 controls), PO - Prepare the Organization (13 controls), RV - Respond to Vulnerabilities (9 controls). Each control defines specific requirements that organisations must implement to achieve compliance.
What frameworks does NIST SP 800-218 SSDF map to?
NIST SP 800-218 SSDF does not currently have cross-framework mappings in our system. Check back as we continuously expand our mapping database.
How do I get started with NIST SP 800-218 SSDF compliance?
Start your NIST SP 800-218 SSDF compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about NIST SP 800-218 SSDF requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 42 controls and track your progress.
Start Your Compliance Journey
Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 769 frameworks.
Get Started Free →Free forever — no credit card required