Executive Order (EO) 14028 on Improving the Nation’s Cybersecurity, May 12, 2021, directs the National Institute of Standards and Technology (NIST) to publish guidelines on vendors’ source code testing.
“Section 4(r) Within 60 days of the date of this order, the Secretary of Commerce acting through the Director of NIST, in consultation with the Secretary of Defense acting through the Director of the NSA, shall publish guidelines recommending minimum standards for vendors’ testing of their software source code, including identifying recommended types of manual or automated testing (such as code review tools, static and dynamic analysis, software composition tools, and penetration testing).”
NIST solicited position papers from the community, hosted a virtual workshop to gather input, and consulted with the National Security Agency (NSA) to develop the recommended minimum standards as well as supplementary material to put the standards in the context of a robust testing program which, in turn, is part of a robust development process.
NIST has developed a document that recommends minimum standards for vendor or developer verification of software. These guidelines are summarized on this webpage. See FAQ #3 and FAQ #4 for an explanation of why NIST added the terminology developers and verification.
Note that NIST will be developing guidance on software testing tools and attestations under Part 4(e) of the EO. See FAQ #1.
This webpage provides background information and context for minimum standards for software verification. It then defines eleven tasks and techniques which comprise the recommended software verification minimums. The twelfth task, fixing critical bugs, is included for completeness.