Last Updated on January 14, 2024
President Biden’s “cybersecurity executive order” 14028 from May 2021 mandated the US federal government to move towards compliance with the NIST Secure Software Development Framework (SSDF), SP 800-218. The Office of Management and Budget (OMB) issued a memorandum In September 2022 directing agencies to obtain a self-attestation or statement of conformance with NIST 800-218 from software vendors before using any third-party software—including solutions already in use.
How can software vendors assess their current level of conformance with the NIST SSDF and create an efficient roadmap for closing any gaps?
To talk about top ways Dev teams can benefit from using OWASP’s Software Assurance Maturity Model (SAMM), a recent episode of The Virtual CISO Podcast features Sebastien Deleersnyder, Co-founder and CTO at Toreon. Pivot Point Security CISO and Managing Partner, John Verry, is the host.
OWASP SAMM cross-references NIST 800-218
For SaaS providers and others looking to demonstrate compliance with the NIST SSDF, OWASP SAMM can help appreciably as it systematically cross-references the SSDF.
“The great thing about SAMM is it’s a maturity model,” Sebastien states. “That’s where we can help an organization that’s already doing SAMM to map that onto not only the SSDF, but also onto other frameworks as well.”
ISO 27001 mapping
Another leading cybersecurity framework that SAMM cross-references is ISO 27001, which like NIST 800-218 is increasingly important for SaaS vendors across industries. The 2022 version of ISO 27001 is more focused than ever on AppSec, and OWASP has crowdsourced a lot of new input on ISO 27001.
Sebastien further relates that he’s seeing quite a few orgs pursuing ISO 27001 certification that are defining OWASP SAMM as the application security part of their ISMS.
What’s next?
To hear this podcast with Sebastien Deleersnyder, click here.Here’s why the US government is so hot on the NIST SSDF: Why Does the USG Think We Need the NIST Secure Software Development Framework (SSDF)?