The third initiative launched by NIST in response to EO 14028 resulted in the Minimum Standards for Vendor or Developer Verification of Software. These guidelines, released in July 2021, focus primarily on developers supplying secure products and services to federal agencies. Technical descriptions and explanations to the guidelines were released as NISTIR 8397, Guidelines on Minimum Standards for Developer Verification of Software, in October 2021.
At a minimum, agencies should familiarize themselves with these guidelines and take action to ensure applicable recommended baseline practices are being performed by their suppliers, developers, system integrators, external system service providers, and other ICT/OT-related service providers.
As with the security measures for critical software use, these recommended practices can be operationalized through the lens of SP 800-161, Rev. 1, acquisition guidance. Table F-5 outlines how the minimum software verification techniques can be used by federal agencies to enhance existing C-SCRM controls, control enhancements, and supplemental guidance from the lens of the acquirer.
Control Identifier |
Control Name |
EO Minimum Software Verification Technique Impact |
AU-12 |
Audit Record Generation |
|
SA-3 |
System Development Life Cycle |
|
SA-4 |
Acquisition Process |
|
SA-8 |
Security Engineering Principles |
|
SA-9 |
External System Services |
|
SA-10 |
Developer Configuration Management |
|
SA-11 |
Developer Testing and Evaluation |
|
SA-15 |
Development Process, Standards, and Tools |
|
SA-22 |
Unsupported System Components |
|
SR-6 |
Supplier Assessment and Reviews |
|
SR-9 |
Tamper Resistance and Detection |
|
SR-11 |
Component Authenticity |
|
SI-7 |
Software, Firmware, and Information Integrity |
|
CM-3 |
Configuration Change Control |
|
CM-6 |
Configuration Settings |
|
CM-10 |
Software Usage Restrictions |
|
Content: