Though existing industry standards, tools, and recommended practices have been primarily presented through the lens of SP 800-161, Rev. 1, additional consideration of software supply chain security from the lens of the acquirer extends far beyond this document. Federal agencies looking for additional industry standards, tools, and recommended practices should reference the cross-industry publications listed in Table F-5.
Source |
Description |
The BSA Framework for Secure Software: A New Approach to Securing the Software Lifecycle, Version 1.1 |
Offers an outcome-focused, standards-based risk management tool to help stakeholders in the software industry (e.g., developers, vendors, customers, policymakers, and others) communicate and evaluate the security outcomes associated with specific software products and services |
Building Security in Maturity Model (BSIMM) Version 12 |
A study of existing software security initiatives across 100+ different organizations that provides a baseline of activities for software security |
CISA and NIST’s Defending Against Software Supply Chain Attacks |
Provides an overview of software supply chain risks and recommendations on how software customers and vendors can use the NIST Cybersecurity Supply Chain Risk Management (C-SCRM) framework and the Secure Software Development Framework (SSDF) to identify, assess, and mitigate risks |
CISA’s Internet of Things Security Acquisition Guidance |
Provides recommendations on the acquisition function of an organization and how to apply cybersecurity and C-SCRM principles and practices throughout the acquisition life cycle when purchasing, deploying, operating, and maintaining IoT devices, systems, and services |
Cyber Security & Information Systems Information Analysis Center (CSIAC) Software Assurance (SWA) |
Explores different aspects of software assurance competencies that can be used to improve software assurance functions and how to develop/deploy assured software throughout the life cycle acquisition process |
Institute for Defense Analyses (IDA), State-of-the-Art Resources (SOAR) for Software Vulnerability Detection, Test, and Evaluation 2016 |
Written to enable DoD program managers (PMs) and their staff to make effective software assurance and software supply chain risk management (SCRM) decisions, particularly when they are developing and executing their program protection plan, and inform DoD policymakers who are developing software policies |
ISO/IEC 27036 Information security for supplier relationships |
A multi-part standard that offers guidance on the evaluation and treatment of information risks involved in the acquisition of goods and services from suppliers |
ISO/IEC 27034-1:2011 Information technology – Security techniques – Application security – Part 1: Overview and concepts |
Presents an overview of application security and introduces definitions, concepts, principles, and processes involved in application security |
ISO/IEC 20243-1:2018 Information technology — Open Trusted Technology ProviderTM Standard (O-TTPS) — Mitigating maliciously tainted and counterfeit products — Part 1: Requirements and recommendations |
A set of guidelines, requirements, and recommendations that address specific threats to the integrity of hardware and software COTS ICT products throughout the product life cycle |
Microsoft, Security Development Life Cycle |
Introduces security and privacy considerations throughout all phases of the development process to help developers build highly secure software, address security compliance requirements, and reduce development costs |
National Defense Industrial Association (NDIA) Engineering for System Assurance
|
Provides guidance on how to build assurance into a system throughout its life cycle, as well as identifies and discusses systems engineering activities, processes, tools, and considerations to address system assurance |
NIST, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1 |
Voluntary guidance based on existing standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risk and designed to foster risk and cybersecurity management communications among both internal and external organizational stakeholders |
NISTIR 8259, Foundational Cybersecurity Activities for IoT Device Manufacturers
|
Describes recommended activities related to cybersecurity that manufacturers should consider performing before their IoT devices are sold to customers |
NISTIR 8259A, Core Device Cybersecurity Capability Baseline
|
Defines a baseline set of device cybersecurity capabilities that organizations should consider when confronting the challenge of the IoT |
Open Web Application Security Project (2020) OWASP Application Security Verification Standard 4.0.3 |
Provides a basis for testing web application technical security controls and a list of requirements for secure development |
OWASP Software Assurance Maturity Model (SAMM) Version 2.0 |
An open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks that the organization faces |
Software Assurance Forum for Excellence in Code (SAFECode), Practical Security Stories and Security Tasks for Agile Development Environments |
Translates secure development practices into a language and format that Agile practitioners can more readily act upon as part of a standard Agile methodology |
SAFECode, Fundamental Practices for Secure Software Development: Essential Elements of a Secure Development Life Cycle Program, Third Edition |
Authoritative best practices guide written by SAFECode members to help software developers, development organizations, and technology users initiate or improve their software assurance programs and encourage the industry-wide adoption of fundamental secure development practices |
SAFECode, Software Integrity Controls: An Assurance-Based Approach to Minimizing Risks in the Software Supply Chain
|
Focuses on examining the software integrity element of software assurance and provides insight into the controls that SAFECode members have identified as effective for minimizing the risk that intentional and unintentional vulnerabilities could be inserted into the software supply chain |
SAFECode, Managing Security Risks Inherent in the Use of Third-Party Components |
Provides a blueprint for how to identify, assess, and manage the security risks associated with the use of third-party components |
SAFECode, Tactical Threat Modeling |
Provides guidance on the process of threat modeling as well as the “generic” framework in which a successful threat-modeling effort can be conducted |
SP 800-53, Rev. 5, Joint Task Force Transformation Initiative, Security and Privacy Controls for Federal Information Systems and Organizations |
Provides a catalog of security and privacy controls for information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats and risks, including hostile attacks, human errors, natural disasters, structural failures, foreign intelligence entities, and privacy risks |
SP 800-53A, Rev. 4, Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans |
Provides a set of procedures for conducting assessments of security controls and privacy controls employed within federal information systems and organizations |
SP 800-53B, Control Baselines for Information Systems and Organizations |
Provides security and privacy control baselines for the Federal Government: three security control baselines (low-impact, moderate-impact, and high-impact) and a privacy baseline that is applied to systems irrespective of impact level |
SP 800-160 Volume 1, Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems |
Addresses the engineering-driven perspective and actions necessary to develop more defensible and survivable systems, inclusive of the machine, physical, and human components that compose the systems and the capabilities and services delivered by those systems |
Content: