NIST SP 800-218 SSDF v1.1
Secure Software Development Framework
Framework data extracted from the Secure Controls Framework (SCF) v2025.4 Set Theory Relationship Mapping (STRM) files, licensed under CC BY-ND 4.0 . Attribution required per license terms.
60 All
PO — Prepare the Organization (17 practices)
PO.1Define Security Requirements for Software Development
PO.1.1Identify and Document Infrastructure Security Requirements
PO.1.2Identify and Document Software Security Requirements
PO.2Implement Roles and Responsibilities for Secure Development
PO.2.1Create and Maintain SDLC Roles and Responsibilities
PO.2.2Provide Role-Based Secure Development Training
PO.2.3Obtain Management Commitment to Secure Development
PO.3Implement Supporting Toolchains
PO.3.1Specify Toolchain Requirements
PO.3.2Securely Deploy and Maintain Tools
PO.3.3Configure Tools for Artifact Generation
PO.4Define Criteria for Software Security Checks
PO.4.1Define and Track Security Check Criteria
PO.4.2Implement Processes to Support Security Criteria
PO.5Protect Development Environments
PO.5.1Separate and Protect Development Environments
PO.5.2Secure and Harden Development Endpoints
PS — Protect the Software (7 practices)
PS.1Protect All Forms of Code from Unauthorized Access and Tampering
PS.1.1Store All Forms of Code with Least Privilege Access
PS.2Provide a Mechanism for Verifying Software Release Integrity
PS.2.1Make Integrity Verification Information Available
PS.3Archive and Protect Each Software Release
PS.3.1Securely Archive Software Release Files
PS.3.2Collect and Share Software Provenance Data
PW — Produce Well-Secured Software (24 practices)
PW.1Design Software to Meet Security Requirements and Mitigate Risks
PW.1.1Use Risk Modeling to Assess Security Risk
PW.1.2Track Security Requirements, Risks, and Design Decisions
PW.1.3Use Standardized Security Features and Services
PW.2Review the Software Design to Verify Compliance with Security Requirements
PW.2.1Conduct Independent Security Design Review
PW.4Reuse Existing Well-Secured Software
PW.4.1Acquire and Maintain Well-Secured Third-Party Components
PW.4.2Create and Maintain Well-Secured In-House Components
PW.4.4Verify Third-Party Component Compliance
PW.5Create Source Code by Adhering to Secure Coding Practices
PW.5.1Follow Secure Coding Practices
PW.6Configure the Compilation, Interpreter, and Build Processes
PW.6.1Use Security-Enhancing Compiler and Build Features
PW.6.2Configure Compiler and Build Tool Security Features
PW.7Review and Analyze Human-Readable Code
PW.7.1Determine Code Review and Analysis Methods
PW.7.2Perform Code Review and Analysis
PW.8Test Executable Code
PW.8.1Determine Executable Code Testing Methods
PW.8.2Scope and Perform Executable Code Testing
PW.9Configure Software to Have Secure Settings by Default
PW.9.1Define a Secure Baseline Configuration
PW.9.2Implement and Document Default Settings
RV — Respond to Vulnerabilities (12 practices)
RV.1Identify and Confirm Vulnerabilities on an Ongoing Basis
RV.1.1Gather and Investigate Vulnerability Reports
RV.1.2Review Code for Previously Undetected Vulnerabilities
RV.1.3Establish Vulnerability Disclosure Policy
RV.2Assess, Prioritize, and Remediate Vulnerabilities
RV.2.1Analyze Vulnerability Risk for Remediation Planning
RV.2.2Plan and Implement Vulnerability Risk Responses
RV.3Analyze Vulnerabilities to Identify Root Causes
RV.3.1Perform Root Cause Analysis on Vulnerabilities
RV.3.2Analyze Root Cause Patterns Over Time
RV.3.3Proactively Fix Vulnerability Classes
RV.3.4Update SDLC to Prevent Recurrence