NIST recently released version 1.2 of its Secure Software Development Framework (SSDF) for public comment. As its Note to Reviewers explains, the primary reason for the update from SSDF 1.1 was to address Executive Order 14306, which directed that the SSDF include “practices, procedures, controls, and implementation examples regarding the secure and reliable development and delivery of software as well as the security of the software itself.”

The content updates from SSDF 1.1 to 1.2 are relatively small, but the changes in format and layout are significant, which makes it arduous to do a side-by-side comparison. To aid you in seeing what’s changed, we’ve created an annotated version. It highlights new content in green and changed content in orange (except for references). Each highlighted instance of changed content also has a callout box with the old text and the new text.

Note that changes to the references were not highlighted. The only references that were updated were for NIST SP 800-53 and SP 800-161. Rather than highlight all of those references, we simply note here that they have been completely redone. Also, all mentions of EO 14028, including its references, have been removed from SSDF 1.2.

Summary of the most noteworthy changes

This summary highlights changes to the SSDF practices and tasks. Most of the edits in the draft were for notional implementation examples, which are not as important.

1. Added a Prepare the Organization practice, “Define and Implement a Continuous Process Improvement Plan (PO.6): Identify and execute improvements to cybersecurity processes and procedures throughout the SDLC across all SSDF practices.”

2. Added a Protect Software practice, “Ensure Software Updates Are Robust and Reliable (PS.4): Implement robust and reliable software update strategies, preferably allowing customers to control any updates to the software package and application configurations. Help software acquirers maintain operations and minimize disruptions by ensuring that software updates are tested and responsibly delivered.”

3. Expanded the definition of task RV.1.2. SSDF 1.1 defined it as: “Review, analyze, and/or test the software’s code to identify or confirm the presence of previously undetected vulnerabilities” while SSDF 1.2 stated it this way (with the new words emphasized): “Review, analyze, and/or test the software’s code and its default and other common configurations to identify or confirm the presence of previously undetected vulnerabilities.”

4. Changed the definition of task RV.2.1 from “Analyze each vulnerability to gather sufficient information about risk to plan its remediation or other risk response” to “Analyze each vulnerability to gather sufficient information about risk and plan its remediation or other risk response.” This change added the execution of planning to the scope of the task.

5. In task RV.3.3, the word “fix” was changed to “remediate.” Similar changes were also made to “fix,” “remediate,” and “mitigate” usage in several examples. NIST SP 800-216 defines mitigation as “the temporary reduction or lessening of the impact of a vulnerability or the likelihood of its exploitation” and remediation as “the neutralization or elimination of a vulnerability or the likelihood of its exploitation.”

The deadline for submitting public comments for SSDF version 1.2 is Friday, January 30. If you’re interested in contributing to SSDF 1.2, consider commenting on the five items above and on the list of questions from NIST in the SP’s Note to Reviewers.