Álvaro Reyes
Security Analyst
November 23, 2022

NIST SSDF and IriusRisk Threat Modeling

NIST SSDF and IriusRisk Threat Modeling

What is the Secure Software Development Framework?

The Secure Software Development Framework (SSDF) is a set of fundamental, sound, and secure software development practices based on established secure software development practice documents from organizations such as BSA, OWASP, and SAFECode. The SSDF can help an organization to align and prioritize its secure software development activities with its business/mission requirements, risk tolerances, and resources.1

'NIST SSDF Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities’ can be found here: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf the publication itself states: ​​Following these practices should help software producers reduce the number of vulnerabilities in released software, mitigate the potential impact of the exploitation of undetected or unaddressed vulnerabilities, and address the root causes of vulnerabilities to prevent future recurrences. Because the framework provides a common vocabulary for secure software development, software purchasers and consumers can also use it to foster communications with suppliers in acquisition processes and other management activities.2

NIST SSDF Objectives

The NIST SSDF practices are organized into four groups3:

  • Prepare the Organization (PO): Ensure that the organization’s people, processes, and technology are prepared to perform secure software development at the organization level and, in some cases, for individual development groups or projects.
  • Protect the Software (PS): Protect all components of the software from tampering and unauthorized access.
  • Produce Well-Secured Software (PW): Produce well-secured software with minimal security vulnerabilities in its releases.
  • Respond to Vulnerabilities (RV): Identify residual vulnerabilities in software releases and respond appropriately to address those vulnerabilities and prevent similar vulnerabilities from occurring in the future.

The full list of requirements can be found in the Appendix at the end of this article.

What are the benefits of Threat Modeling with respect to this framework?

Section PW.1.1 of the SSDF specifically says that some form of risk modeling (including threat modeling) must be done to assess the security risk for a software. The SSDF suggests for this section that other standards and frameworks contain useful information to comply with this task. In fact, some of these standards are already well known and are already available in IriusRisk: NIST CSF, IEC62443, OWASP ASVS, NIST 800-53 and others.

This means that, implicitly, IriusRisk already covers the SSDF sections by including the actual countermeasures from other standards and frameworks like the ones listed before. By implementing these sets of countermeasures users can quantify the compliance with this framework. Plus, the mere fact of using IriusRisk already helps in all PW tasks.

Is this the only requirement for federal agencies?

The NIST SSDF was created due to the US’s Executive Order 14028 issued on May 12, 2021 in order to identify existing or develop a new set of guidelines to enhance software supply chain security and it has been chosen to be mandatory for federal agencies1. However, this is not the first requirement regarding federal agencies addressed by IriusRisk.

The Federal Risk and Authorization Management Program, abbreviated as FedRAMP4, is a US federal government program that promotes the adoption of secure cloud services and technologies across government agencies. FedRAMP standardizes these security requirements through a legal framework that incorporates FISMA, an older act passed in 2002 that led to the creation of NIST. Both FedRAMP and FISMA are based on NIST SP 800-53 baselines and contain controls, parameters, and guidance that address the unique components of cloud computing.

IriusRisk includes the FedRAMP library to provide other software vendors a way to be compliant with FedRAMP baselines in order to be eligible for US federal agencies. Find out more in our FedRAMP Article here.


Software vendors whose products have been threat modeled can demonstrate that their products have gone through a proper risk assessment and comply with the set of requirements requested by a federal agency. IriusRisk threat modeling can aid software vendors and federal agencies to comply with multiple requirements detailed within NIST’s Secure Software Development Framework (SSDF).

Try IriusRisk for yourself

Sign up to our Community Edition completely free, and see how your organization can benefit from IriusRisk.

Appendix: NIST SSDF v1.1 Requirements

Here’s the full list of requirements that the NIST SSDF lists in its version 1.1:

  • Protect the Organization (PO): Ensure that people, processes and technology are prepared to perform secure software development
  • Define Security Requirements for Software Development (PO.1)
  • Implement Roles and Responsibilities (PO.2)
  • Implement Supporting Toolchains (PO.3)
  • Define and Use Criteria for Software Security Checks (PO.4)
  • Implement and Maintain Secure Environments for Software Development (PO.5)
  • Protect the Software (PS): Protect all components of their software from tampering and unauthorized access
  • Protect All Forms of Code from Unauthorized Access and Tampering (PS.1)
  • Provide a Mechanism for Verifying Software Release Integrity (PS.2)
  • Archive and Protect Each Software Release (PS.3)
  • Produce Well-Secured Software (PW): Produce well-secured software with minimal security vulnerabilities
  • Design Software to Meet Security Requirements and Mitigate Security Risks (PW.1)
  • Review the Software Design to Verify Compliance with Security Requirements and Risk Information (PW.2)
  • Reuse Existing, Well-Secured Software When Feasible Instead of Duplicating Functionality (PW.4)
  • Create Source Code by Adhering to Secure Coding Practices (PW.5)
  • Configure the Compilation, Interpreter, and Build Processes to Improve Executable Security (PW.6)
  • Review and/or Analyze Human-Readable Code to Identify Vulnerabilities and Verify Compliance with Security Requirements (PW.7)
  • Test Executable Code to Identify Vulnerabilities and Verify Compliance with Security Requirements (PW.8)
  • Configure Software to Have Secure Settings by Default (PW.9)
  • Respond to Vulnerabilities (RV): Identify residual vulnerabilities, respond appropriately and prevent similar ones
  • Identify and Confirm Vulnerabilities on an Ongoing Basis (RV.1)
  • Assess, Prioritize, and Remediate Vulnerabilities (RV.2)
  • Analyze Vulnerabilities to Identify Their Root Causes (RV.3)


  1. https://csrc.nist.gov/Projects/ssdf
  2. https://csrc.nist.gov/publications/detail/sp/800-218/final
  3. https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.02042022-1.pdf
  4. https://www.fedramp.gov/