Re: NIST CSF and SDLC

mgorman · ‎03-07-2022

So here is a security control framework question. I am going through an exercise of mapping our control set to various frameworks to track compliance, with NIST CSF as the "main" framework, linking others to it. The very first one in the list is enforcing signed commits to software repos. Trying to map that to the NIST CSF isn't working. It feels like the NIST CSF items are about Enterprise operations, not software development. Does anyone disagree, or should I add a section to my own derivative framework for Protect.SDLC?

tmekelburg1 · ‎03-07-2022

Here's another framework if you didn't have enough already:

Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of...

Section: Protect Software (PS) (PS.1) (Example 3: Use commit signing for code repositories) (NISTCSF: PR.AC-4, PR.DS-6, PR.IP-3)

Montero6299 · ‎03-09-2022

@mgorman wrote:
So here is a security control framework question. I am going through an exercise of mapping our control set to various frameworks to track compliance, with NIST CSF as the "main" framework, linking others to it. The very first one in the list is enforcing signed commits to software repos. Trying to map that to the NIST CSF isn't working. It feels like the NIST CSF items are about Enterprise operations, not software development. Does anyone disagree, or should I add a section to my own derivative jcpassociates framework for Protect.SDLC?

A general SDLC includes five phases: initiation, acquisition/development, implementation/assessment, operations/maintenance, and sunset (disposition). Each of the five phases includes a minimum set of security tasks needed to effectively incorporate security in the system development process.