“Companies can’t fully adhere to the federal framework for secure software development until government begins making procurement decisions based on the guidance, according to industry experts.
The Secure Software Development Framework (SSDF) is a conceptual document that wants software developers and providers to prove they’re in compliance using artifacts, but which threat models, log entries, source code files and vulnerability scan reports agencies require isn’t being universally stated in contracts...”
“That’s not to say industry dislikes the SSDF, rather recognizes the Office of Management and Budget‘s recent mandate agencies comply with the guidance will help CISOs and chief information officers secure their IT infrastructure and ensure its as free of vulnerabilities as possible...”
“’I would say that there will be a deadline, and it will have to be a soft deadline,’ said Bob Stevens, area vice president of public sector at GitLab. ‘We’re talking about the potential change of a lot of infrastructure and a lot of transitioning for government agencies.’...” Read the full article here.
Source: Secure Software Development Framework not evident in federal procurement yet – By Dave Nyczepir, April 5, 2022. FedScoop.
Reply to this post...