June 15, 2023

Letter to NIST re Moving SSDF Version 1.1 to an International Standard

Dr. Laurie E. Locascio


National Institute of Standards and Technology

100 Bureau Drive

Gaithersburg, MD 20899

Sent via email: laurie.locascio@nist.gov


Dear Director Locascio,

The Cybersecurity Coalition (“the Coalition”) recognizes NIST’s excellent work in promoting security in the software ecosystem, ultimately leading to the publication of SP 800-218 Secure Software Development Framework (SSDF). The Coalition now urges NIST to put forward SSDF Version 1.1 to be published by an international standards body, such as the International Organization for Standardization (ISO).

As you know, the Coalition is composed of leading companies with a specialty in cybersecurity products and services, who are dedicated to finding and advancing consensus policy solutions that promote the development and adoption of cybersecurity technologies. We seek to ensure a robust marketplace and effective policy environment that will encourage companies of all sizes to take steps to improve cybersecurity risk management, domestically within the US, and internationally.

As more organizations understand the importance of secure software development and improved software security, the SSDF is becoming a widely respected and integral part of current cybersecurity efforts not only in the U.S., but increasingly at a global level The Coalition believes that additional benefit could be derived from the publication of the document as an international standard to confirm its global status utility. The Coalition expects an international standardization effort would introduce the framework to new audiences, new perspectives, and new use cases. Increased international engagement and adoption of the framework will help to address vulnerabilities throughout global software supply chains and to harmonize the language used by producers and customers in these supply chains.

The Coalition does not want to see the SSDF undergo significant changes, nor for NIST’s role as the steward of the document to be diminished. Rather, the Coalition hopes and expects that the international standardization of the already reviewed and updated 1.1 version would be relatively straightforward. Acceptance in a non-US governed body would bolster the SSDF’s adoption by mitigating concern from foreign organizations centered around the current U.S. federal ownership of the standard.

The Coalition appreciates that NIST continually listens to and engages with the private sector and thanks NIST for allowing us to contribute our thoughts and recommendations to the dialog. As the conversation around this topic continues to evolve, we would welcome the opportunity to further serve as a resource and partner in bringing the SSDF to an international standards body.

Respectfully Submitted,

Ari Schwartz

Coordinator, Cybersecurity Coalition


Cc: James A. St. Pierre, Acting Director, Informational Technology Laboratory

Kevin Stine, Chief, Applied Cybersecurity Division