Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

EVENTS

Executive Order 14028: Guidelines for Enhancing Software Supply Chain Security

The workshop will share and discuss the approach that NIST is taking to support Section 4e of Executive Order 14028.

NIST has released the Draft Special Publication (SP) 800-218, Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities. The SSDF is a set of fundamental, sound practices for secure software development based on established standards and guidelines produced by various organizations. The SSDF directly addresses several practices that were called out in Section 4e. The SSDF also provides a starting point for discussing other practices that Section 4e specifies.

To support this discussion, NIST is soliciting input about the types of meaningful artifacts of secure software development that software producers can share publicly with software acquirers. This workshop will bring together experts with different viewpoints to share their insights on producing and sharing artifacts of secure software development tools and processes, as well as on attesting to following specific secure software development practices.

Agenda (times are in ET):
(Updated 11/4)

1:00-1:15	Introduction Kevin Stine, Chief Cybersecurity Advisor, NIST This session will provide an introduction to EO Section 4(e) and explain its relationship with OMB’s responsibilities in Section 4(k).
1:15-1:30	The NIST Secure Software Development Framework (SSDF) Karen Scarfone, Scarfone Cybersecurity This session will walk through the basics of NIST’s Secure Software Development Framework (SSDF), including how it is related to other frameworks and how it addresses Section 4e of the EO in particular securing the software development environments and software development practices.
1:30 - 1:45	Self Declaration and Attestation Warren Merkel, Chief, Standards Services, NIST This session will take a real-world look at standards-based self-declaration and self attestation with security requirements for software development.
1:45 - 2:15	Generating and Sharing Process and Tool Artifacts Rohit Sethi, Security Compass Matt Fussa, Cisco This session will discuss the feasibility of generating and sharing artifacts from processes and tools for maintaining trusted source code and for verifying and mitigating software vulnerabilities.
2:15-2:25	Break
2:25-2:55	Criteria and Attestation Approaches for Code Provenance Dan Lorenc, Chainguard Kurt Samuelson, Microsoft This session will examine criteria and attestation approaches for maintaining provenance of code and code components, including for open-source software.
2:55-3:25	Vulnerability Disclosure Programs Kim Schaffer, NIST Katie Moussouris, Luta Security This session will reference existing standards, guidelines, industry practices, and experiences for vulnerability disclosure programs.
3:25-4:00	Facilitated Q&A with all speakers Barbara Guttman, NIST
4:00	Conclusion

Information technology and Cybersecurity

Created October 20, 2021, Updated November 19, 2021