cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
mgorman
Contributor II

NIST CSF and SDLC

So here is a security control framework question. I am going through an exercise of mapping our control set to various frameworks to track compliance, with NIST CSF as the "main" framework, linking others to it. The very first one in the list is enforcing signed commits to software repos. Trying to map that to the NIST CSF isn't working. It feels like the NIST CSF items are about Enterprise operations, not software development. Does anyone disagree, or should I add a section to my own derivative framework for Protect.SDLC?

2 Replies
tmekelburg1
Community Champion

Here's another framework if you didn't have enough already:

 

Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of...

 

Section: Protect Software (PS) (PS.1) (Example 3: Use commit signing for code repositories) (NISTCSF: PR.AC-4, PR.DS-6, PR.IP-3)

 

Montero6299
Viewer


@mgorman wrote:

So here is a security control framework question. I am going through an exercise of mapping our control set to various frameworks to track compliance, with NIST CSF as the "main" framework, linking others to it. The very first one in the list is enforcing signed commits to software repos. Trying to map that to the NIST CSF isn't working. It feels like the NIST CSF items are about Enterprise operations, not software development. Does anyone disagree, or should I add a section to my own derivative jcpassociates framework for Protect.SDLC?


A general SDLC includes five phases: initiation, acquisition/development, implementation/assessment, operations/maintenance, and sunset (disposition). Each of the five phases includes a minimum set of security tasks needed to effectively incorporate security in the system development process.