topic Re: NIST CSF and SDLC in Governance, Risk, Compliance

NIST CSF and SDLC

mgorman — Mon, 07 Mar 2022 14:37:20 GMT

So here is a security control framework question. I am going through an exercise of mapping our control set to various frameworks to track compliance, with NIST CSF as the "main" framework, linking others to it. The very first one in the list is enforcing signed commits to software repos. Trying to map that to the NIST CSF isn't working. It feels like the NIST CSF items are about Enterprise operations, not software development. Does anyone disagree, or should I add a section to my own derivative framework for Protect.SDLC?

Re: NIST CSF and SDLC

tmekelburg1 — Mon, 07 Mar 2022 16:59:30 GMT

Here's another framework if you didn't have enough already:

Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities (nist.gov)

Section: Protect Software (PS) (PS.1) (Example 3: Use commit signing for code repositories) (NISTCSF: PR.AC-4, PR.DS-6, PR.IP-3)

Re: NIST CSF and SDLC

Montero6299 — Thu, 10 Mar 2022 05:10:00 GMT

@mgorman wrote:
So here is a security control framework question. I am going through an exercise of mapping our control set to various frameworks to track compliance, with NIST CSF as the "main" framework, linking others to it. The very first one in the list is enforcing signed commits to software repos. Trying to map that to the NIST CSF isn't working. It feels like the NIST CSF items are about Enterprise operations, not software development. Does anyone disagree, or should I add a section to my own derivative jcpassociates framework for Protect.SDLC?

A general SDLC includes five phases: initiation, acquisition/development, implementation/assessment, operations/maintenance, and sunset (disposition). Each of the five phases includes a minimum set of security tasks needed to effectively incorporate security in the system development process.