Hello, Guest!


OMB Directs Agencies to Implement NIST’s New Guidance on Software Security

Software security

OMB Directs Agencies to Implement NIST’s New Guidance on Software Security

The White House’s Office of Management and Budget has directed agencies to implement the National Institute of Standards and Technology’s guidance on software security.

NIST recently published an updated version of its Secure Software Development Framework, which is intended to address the lack of software development life cycle models that address security in detail.

SSDF is a set of fundamental development practices based on recommendations by The Software Alliance, the One Web Application Security Project and SAFECode.

Agencies are required to immediately adopt SSDF guidelines with respect to all software procured moving forward, OMB said Monday.

OMB issued the directive in accordance with President Joe Biden’s May 2021 executive order on modernizing the federal government’s cybersecurity.

According to a summary published by NIST’s Computer Security Resource Center, SSDF is intended to help agencies align their software development activities with their mission requirements, risk tolerances and resources.

SSDF offers recommendations in four categories: ensuring that an organization is prepared to perform secure software development, protecting components from tampering and unauthorized access, producing software with minimal vulnerabilities at launch, and identifying residual vulnerabilities in software releases.

NIST said that comparing cybersecurity outcomes with SSDF’s practices may help an organization identify gaps that need to be addressed.

The agency recommended that organizations create a remedial action plan that accounts for their mission needs and risk management processes. 

Organizations should also consider factors such as cost, feasibility and applicability when deciding which practices they plan to adopt.

Potomac Officers Club Logo
Sign up for Potomac Officers Club's daily briefing
Receive updates on events and relevant news

Category: Cybersecurity