Though existing industry standards, tools, and recommended practices have been primarily presented through the lens of SP 800-161r1upd1, additional considerations of software supply chain security from the lens of the acquirer extend far beyond this document. Federal agencies looking for additional industry standards, tools, and recommended practices should reference the cross-industry publications listed in Table F-5.
Source | Description |
---|---|
The BSA Framework for Secure Software: A New Approach to Securing the Software Lifecycle, Version 1.1 | Offers an outcome-focused, standards-based risk management tool to help stakeholders in the software industry (e.g., developers, vendors, customers, policymakers, and others) communicate and evaluate the security outcomes associated with specific software products and services |
Building Security in Maturity Model (BSIMM) Version 12 | A study of existing software security initiatives across 100+ different organizations that provides a baseline of activities for software security |
CISA and NIST’s Defending Against Software Supply Chain Attacks | Provides an overview of software supply chain risks and recommendations on how software customers and vendors can use the C-SCRM framework and the SSDF to identify, assess, and mitigate risks |
CISA’s Internet of Things Security Acquisition Guidance | Provides recommendations for the acquisition function of an organization and how to apply cybersecurity and C-SCRM principles and practices throughout the acquisition life cycle when purchasing, deploying, operating, and maintaining IoT devices, systems, and services |
Cyber Security & Information Systems Information Analysis Center (CSIAC) Software Assurance (SWA) | Explores different aspects of software assurance competencies that can be used to improve software assurance functions and develop or deploy assured software throughout the life cycle acquisition process |
Institute for Defense Analyses (IDA), State-of-the-Art Resources (SOAR) for Software Vulnerability Detection, Test, and Evaluation 2016 | Enables DoD program managers (PMs) and their staff to make effective software assurance and software supply chain risk management (SCRM) decisions, particularly when they are developing and executing their program protection plan, and inform DoD policymakers who are developing software policies |
ISO/IEC 27036 Information security for supplier relationships | A multi-part standard that offers guidance on the evaluation and treatment of information risks involved in the acquisition of goods and services from suppliers |
ISO/IEC 27034-1:2011 Information technology – Security techniques – Application security – Part 1: Overview and concepts | Presents an overview of application security and introduces definitions, concepts, principles, and processes that are involved in application security |
ISO/IEC 20243-1:2018 Information technology — Open Trusted Technology ProviderTM Standard (O-TTPS) — Mitigating maliciously tainted and counterfeit products — Part 1: Requirements and recommendations | A set of guidelines, requirements, and recommendations that address specific threats to the integrity of hardware and software COTS ICT products throughout the product life cycle |
Microsoft, Security Development Life Cycle | Introduces security and privacy considerations throughout all phases of the development process to help developers build highly secure software, address security compliance requirements, and reduce development costs |
National Defense Industrial Association (NDIA) Engineering for System Assurance
| Provides guidance on how to build assurance into a system throughout its life cycle, as well as identifies and discusses systems engineering activities, processes, tools, and considerations to address system assurance |
NIST, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1 | Voluntary guidance based on existing standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risks and designed to foster risk and cybersecurity management communications among both internal and external organizational stakeholders |
IR 8259, Foundational Cybersecurity Activities for IoT Device Manufacturers
| Recommends cybersecurity-related activities that manufacturers should consider performing before their IoT devices are sold to customers |
IR 8259A, Core Device Cybersecurity Capability Baseline
| Defines a baseline set of device cybersecurity capabilities that organizations should consider when confronting the challenges of IoT |
Open Web Application Security Project (2020) OWASP Application Security Verification Standard 4.0.3 | Provides a basis for testing web application technical security controls and a list of requirements for secure development |
OWASP Software Assurance Maturity Model (SAMM) Version 2.0 | An open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks that the organization faces |
Software Assurance Forum for Excellence in Code (SAFECode), Practical Security Stories and Security Tasks for Agile Development Environments | Translates secure development practices into a language and format that agile practitioners can more readily act upon as part of a standard agile methodology |
SAFECode, Fundamental Practices for Secure Software Development: Essential Elements of a Secure Development Life Cycle Program, Third Edition | A best practices guide written by SAFECode members to help software developers, development organizations, and technology users initiate or improve their software assurance programs and encourage the industry-wide adoption of fundamental secure development practices |
SAFECode, Software Integrity Controls: An Assurance-Based Approach to Minimizing Risks in the Software Supply Chain
| Examines the software integrity element of software assurance and provides insight into effective controls for minimizing the risk that intentional and unintentional vulnerabilities could be inserted into the software supply chain |
SAFECode, Managing Security Risks Inherent in the Use of Third-Party Components | Provides a blueprint for how to identify, assess, and manage the security risks associated with the use of third-party components |
SAFECode, Tactical Threat Modeling | Provides guidance on the process of threat modeling and the “generic” framework in which a successful threat-modeling effort can be conducted |
SP 800-53, Rev. 5, Joint Task Force Transformation Initiative, Security and Privacy Controls for Federal Information Systems and Organizations | Provides a catalog of security and privacy controls for information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats and risks, including hostile attacks, human errors, natural disasters, structural failures, foreign intelligence entities, and privacy risks |
SP 800-53A, Rev. 4, Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans | Provides a set of procedures for assessing security and privacy controls that are employed in federal information systems and organizations |
SP 800-53B, Control Baselines for Information Systems and Organizations | Provides three security control baselines (i.e., low-impact, moderate-impact, and high-impact) and a privacy baseline that is applied to systems irrespective of impact level |
SP 800-160 Volume 1 Rev. 1, Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems | Addresses the engineering-driven perspective and actions necessary to develop more defensible and survivable systems, including the machine, physical, and human components that compose the systems and the capabilities and services delivered by those systems |
Content: