NIST SSDF Compliance Doesn’t Have to Be a Deal-Breaker
By Barbara Cosgriff, Principal Technologist
Win more government projects by leveraging Wind River Security Assessment services.
It’s hard enough to keep track of the acronyms, let alone the actual compliance requirements.
Commercial enterprises that want to provide critical software to any U.S. government agency are required to complete and submit their CISA (Cybersecurity and Infrastructure Security Agency) Self-Attestation Common Form as directed by OMB (Office and Management and Budget) Memorandum M-22-18, beginning in mid-2022.
M-22-18 requires self-attestation that a vendor is completing the tasks of the NIST (National Institute of Standards and Technology) SSDF (Secure Software Development Framework), which in turn requires alignment between the supplier’s SDLC (software development lifecycle) and SSDF tasks.
Achieving SSDF tasks does not have to be mind-numbingly complex.
Many companies are leveraging Wind River® Security Services and products, not only to simplify compliance but also to streamline their DevSecOps processes, optimize their investment allocations, and cut the costs and time frames of meeting government requirements.
The recent experience of one customer provides an excellent example of how our SSDF Gap Analysis services and Studio Developer product capabilities help companies streamline their processes and win more government contracts.
The company, a major provider of advanced electronics systems for defense, homeland security, aviation, and more, needed to optimize its SDLC in order to meet the tasks of the SSDF. That meant it had to identify, prioritize, and remediate gaps between its SDLC and the tasks of the SSDF — while keeping capital outlays at a minimum and without overstaffing or overburdening cybersecurity staff.
Wind River provided a rigorous, expert assessment of the company’s SDLC, identification of gaps in SSDF-related tasks that could impact self-attestation, and detailed recommendations for remediating those gaps.
The key recommendations included necessary DevSecOps tasks and activities such as:
● Building out a generic base pipeline leveraging infrastructure-as-code and configuration-as-code automation to allow a centralized team to generate pipelines via automation
● Providing automated security gate capabilities in all pipelines
● Making available and requiring the use of application security testing tools in all pipelines
● Embedding security requirements into software configuration management
The customer was able to prioritize the needed changes to its SDLC, quantify the staffing needs and costs associated with those changes, and implement in a structured and cost-efficient way.
As a longtime user of VxWorks® and Wind River Linux, the company had a history of success with Wind River and deep confidence in Wind River expertise and assessment capabilities. Equally important, the capabilities of Wind River Studio aligned extremely well with the requirements of implementing the recommendations.
For example, the company had the ability to harness Studio’s Pipeline Manager, workflow automation, digital feedback loop, third-party tool integration, and more to execute on the recommendations.
By leveraging the Security Assessment services, the company received objective, data-driven insights into how well its DevSecOps team’s capacity aligned with NIST SSDF practices, how to optimize staffing and other investment decisions to maximize productivity, and how to remediate the gaps between its SDLC and SSDF tasks at minimal cost and within an acceptable time frame.
Most important, from a business perspective, the company unlocked the ability to pursue new business opportunities that require NIST SSDF compliance.
“The incremental cost of the services was small compared to their impact on our DevSecOps processes and our business,” said a senior executive at the company.
Read the full case study. Then get in touch with us to learn more about Wind River Security Assessment services.