Introduction:
The Secure Software Development Attestation Form (SSDF) represents a significant advancement in the federal government’s efforts to mitigate cyber risks. As mandated by Executive Order 14028, federal agencies are now required to prioritize the use of software developed in accordance with secure software development practices. The SSDF serves as a crucial tool to verify compliance with these standards and ensure the integrity of the software supply chain. This paper explores the rationale for a framework such as the SSDF. It delves into the potential motivations behind its creation and outlines the necessary steps to produce and maintain secure software that complies with U.S. federal government requirements. The aim is to provide an understanding of the SSDF and its implications for organizations seeking to deliver secure software solutions to the federal market.
Context:
In 2020, the SolarWinds hack was a major cybersecurity breach, which involved the compromise of SolarWinds Orion, a network management software widely used by the government agencies and businesses. Hackers infiltrated SolarWinds’ systems and inserted malicious code into updates for the Orion software. This code allowed the attackers to gain remote access to the networks of organizations that installed the compromised updates.
The breach had far-reaching consequences, affecting numerous government agencies and private companies. Notable victims included the U.S. Departments of State, Treasury, and Commerce, as well as several other federal agencies. The attack highlighted vulnerabilities in software supply chains and the potential for widespread damage from cyberattacks. The Executive Order 14028, issued in May 2021, outlined a comprehensive strategy to improve cybersecurity across the federal government. One of its core objectives was to enhance the security of software used by federal agencies.
The SolarWinds hack was a catalyst for significant changes in cybersecurity regulations and best practices, including those related to Secure Software Development Framework (SSDF). While SSDF requirements were not a direct result of the SolarWinds hack, the incident highlighted the critical need for stronger safeguards in software development processes. The breach exposed vulnerabilities in the supply chain and demonstrated the potential for widespread damage from compromised software.
The SSDF form was developed in collaboration with the Cybersecurity and Infrastructure Security Agency (CISA) and the Office of Management and Budget (OMB). It is based on the National Institute of Standards and Technology’s Secure Software Development Framework (SSDF), which provides a comprehensive set of guidelines for secure software development practices.
Understanding the NIST SSDF:
The Secure Software Development Framework (SSDF) is a set of fundamental software development practices based on established secure software development practice divided into the following domains:
1) Organizational Preparedness (PO): Equip individuals, teams, and the entire organization with the necessary knowledge, processes, and tools to develop secure software.
2) Software Protection (PS): Implement robust security measures to safeguard software components from unauthorized access and tampering. Protect the software supply chain to prevent malicious attacks.
3) Secure Software Development (PW): Develop software that is inherently secure, minimizing vulnerabilities and reducing the risk of exploitation. Adhere to secure coding practices and utilize automated tools to identify and remediate security flaws.
4) Vulnerability Response (RV): Proactively identify and address vulnerabilities in released software. Establish a rapid response plan to mitigate the impact of security incidents. Continuously learn from vulnerabilities to prevent future occurrences.
Understanding the SSDF Form Requirements:
The form has four main requirements:
1) Build Environment Security (Logging, Encryption, and Access Controls)
- Segregation of environments and their protection.
- Enable logging and monitoring of trust relationships.
- Deploy enforceable secure, multi-factor authentication and conditional access across the development environment.
- Manage the risk associated with the use of software used to develop and build software.
- Encrypt sensitive data where practicable and based on risk.
- Have defensive cybersecurity practices in place.
2) Security of Internal Code and Third-Party Components
- Scanning of attack surface using automated scanning tools
- Protection of source data repositories with implementation of branch protection rules
- Registration of third-party software and maintenance of provenance data for all software (both internal and third-party).
- Enforcing a process to securely manage third-party components
3) Maintain Provenance
- Scanning of attack surface using automated scanning
- Registration of third-party software and maintenance of provenance data for all software (both internal and third-party).
4) Vulnerability Disclosure Program
- Ensure that every release of your software continues to be checked for vulnerabilities
- Discovered security vulnerabilities that are discovered have been evaluated and managed appropriately before offer release
- Operate a Vulnerability Disclosure Program for your customers.
Demonstrate Conformance using a third-party auditor organization:
To demonstrate compliance with SSDF Form requirements, organizations may engage with a third-party auditor organization (3PAO). The 3PAO assesses the organization’s security controls against the four primary SSDF requirements through evidence-based testing. Upon successful assessment, the 3PAO issues a signed attestation, allowing the organization to upload the document to the Repository for Software Attestation and Artifacts (RSAA) portal. In cases where identified gaps exist, the organization must develop a Plan of Action and Milestones (POAM) to address the deficiencies and mitigate risks. This POAM can be shared with federal customers, who may then request extensions from the Office of Management and Budget (OMB) to utilize the software.
3PAO Attestation Process Workflow:
About the Author:
Abhay Kshirsagar is a seasoned Technology Security & Compliance Leader with a background in consulting and external auditing, Abhay deeply understands the intricacies of ensuring regulatory adherence and implementing robust security measures. Currently serving as the Security & Compliance Leader at Cisco, Abhay spearheads critical functions such as Controls Automation, Customer Information Clearing House (CIC), the Continuous Monitoring Office.