Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Software Security in Supply Chains: Additional Existing Industry Standards, Tools, and Recommended Practices

Though existing industry standards, tools, and recommended practices have been primarily presented through the lens of SP 800-161, Rev. 1, additional consideration of software supply chain security from the lens of the acquirer extends far beyond this document. Federal agencies looking for additional industry standards, tools, and recommended practices should reference the cross-industry publications listed in Table F-5.

Table F‑5: Existing Industry Standards, Tools, and Recommended Practices for Acquirers



The BSA Framework for Secure Software: A New Approach to Securing the Software Lifecycle, Version 1.1

Offers an outcome-focused, standards-based risk management tool to help stakeholders in the software industry (e.g., developers, vendors, customers, policymakers, and others) communicate and evaluate the security outcomes associated with specific software products and services

Building Security in Maturity Model (BSIMM) Version 12

A study of existing software security initiatives across 100+ different organizations that provides a baseline of activities for software security

CISA and NIST’s Defending Against Software Supply Chain Attacks

Provides an overview of software supply chain risks and recommendations on how software customers and vendors can use the NIST Cybersecurity Supply Chain Risk Management (C-SCRM) framework and the Secure Software Development Framework (SSDF) to identify, assess, and mitigate risks

CISA’s Internet of Things Security Acquisition Guidance

Provides recommendations on the acquisition function of an organization and how to apply cybersecurity and C-SCRM principles and practices throughout the acquisition life cycle when purchasing, deploying, operating, and maintaining IoT devices, systems, and services

Cyber Security & Information Systems Information Analysis Center (CSIAC) Software Assurance (SWA)

Explores different aspects of software assurance competencies that can be used to improve software assurance functions and how to develop/deploy assured software throughout the life cycle acquisition process

Institute for Defense Analyses (IDA), State-of-the-Art Resources (SOAR) for Software Vulnerability Detection, Test, and Evaluation 2016

Written to enable DoD program managers (PMs) and their staff to make effective software assurance and software supply chain risk management (SCRM) decisions, particularly when they are developing and executing their program protection plan, and inform DoD policymakers who are developing software policies

ISO/IEC 27036 Information security for supplier relationships

A multi-part standard that offers guidance on the evaluation and treatment of information risks involved in the acquisition of goods and services from suppliers

ISO/IEC 27034-1:2011 Information technology – Security techniques – Application security – Part 1: Overview and concepts

Presents an overview of application security and introduces definitions, concepts, principles, and processes involved in application security

ISO/IEC 20243-1:2018 Information technology — Open Trusted Technology ProviderTM Standard (O-TTPS) — Mitigating maliciously tainted and counterfeit products — Part 1: Requirements and recommendations

A set of guidelines, requirements, and recommendations that address specific threats to the integrity of hardware and software COTS ICT products throughout the product life cycle

Microsoft, Security Development Life Cycle

Introduces security and privacy considerations throughout all phases of the development process to help developers build highly secure software, address security compliance requirements, and reduce development costs

National Defense Industrial Association (NDIA) Engineering for System Assurance


Provides guidance on how to build assurance into a system throughout its life cycle, as well as identifies and discusses systems engineering activities, processes, tools, and considerations to address system assurance

NIST, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1

Voluntary guidance based on existing standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risk and designed to foster risk and cybersecurity management communications among both internal and external organizational stakeholders

NISTIR 8259, Foundational Cybersecurity Activities for IoT Device Manufacturers


Describes recommended activities related to cybersecurity that manufacturers should consider performing before their IoT devices are sold to customers

NISTIR 8259A, Core Device Cybersecurity Capability Baseline


Defines a baseline set of device cybersecurity capabilities that organizations should consider when confronting the challenge of the IoT

Open Web Application Security Project (2020) OWASP Application Security Verification Standard 4.0.3

Provides a basis for testing web application technical security controls and a list of requirements for secure development

OWASP Software Assurance Maturity Model (SAMM) Version 2.0

An open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks that the organization faces

Software Assurance Forum for Excellence in Code (SAFECode), Practical Security Stories and Security Tasks for Agile Development Environments

Translates secure development practices into a language and format that Agile practitioners can more readily act upon as part of a standard Agile methodology

SAFECode, Fundamental Practices for Secure Software Development: Essential Elements of a Secure Development Life Cycle Program, Third Edition

Authoritative best practices guide written by SAFECode members to help software developers, development organizations, and technology users initiate or improve their software assurance programs and encourage the industry-wide adoption of fundamental secure development practices

SAFECode, Software Integrity Controls: An Assurance-Based Approach to Minimizing Risks in the Software Supply Chain


Focuses on examining the software integrity element of software assurance and provides insight into the controls that SAFECode members have identified as effective for minimizing the risk that intentional and unintentional vulnerabilities could be inserted into the software supply chain

SAFECode, Managing Security Risks Inherent in the Use of Third-Party Components

Provides a blueprint for how to identify, assess, and manage the security risks associated with the use of third-party components

SAFECode, Tactical Threat Modeling

Provides guidance on the process of threat modeling as well as the “generic” framework in which a successful threat-modeling effort can be conducted

SP 800-53, Rev. 5, Joint Task Force Transformation Initiative, Security and Privacy Controls for Federal Information Systems and Organizations

Provides a catalog of security and privacy controls for information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats and risks, including hostile attacks, human errors, natural disasters, structural failures, foreign intelligence entities, and privacy risks

SP 800-53A, Rev. 4, Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans

Provides a set of procedures for conducting assessments of security controls and privacy controls employed within federal information systems and organizations

SP 800-53B, Control Baselines for Information Systems and Organizations

Provides security and privacy control baselines for the Federal Government: three security control baselines (low-impact, moderate-impact, and high-impact) and a privacy baseline that is applied to systems irrespective of impact level

SP 800-160 Volume 1, Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems

Addresses the engineering-driven perspective and actions necessary to develop more defensible and survivable systems, inclusive of the machine, physical, and human components that compose the systems and the capabilities and services delivered by those systems


Created May 3, 2022, Updated May 5, 2022