Secure Software Development Framework (SSDF) Version 1.2 is Available for Public Comment

NIST has released the initial public draft of Special Publication (SP) 800-218r1 (Revision 1), Secure Software Development Framework (SSDF) Version 1.2: Recommendations for Mitigating the Risk of Software Vulnerabilities, per Executive Order 14306. This document describes new and improved practices, tasks, and examples for the secure and reliable development, delivery, and improvement of software.                           

Few software development life cycle (SDLC) models explicitly address software security in detail, so secure software development practices usually need to be added to each SDLC model. SP 800-218 recommends the Secure Software Development Framework (SSDF), which is a core set of high-level secure software development practices that can be integrated into each SDLC implementation. Following such practices should help software producers reduce the number of vulnerabilities in released software, mitigate the potential impacts of the exploitation of undetected or unaddressed vulnerabilities, and address the root causes of vulnerabilities to prevent future recurrences. Because the framework provides a common vocabulary for secure software development, software acquirers can also use it to foster communications with suppliers in acquisition processes and other management activities. 

The public comment period is open through January 30, 2026. See the publication details for a copy of the draft and instructions for submitting comments.