Submit Your Feedback on Secure Software Development Framework Version 1.2

Last month, NIST released the initial public draft of Special Publication (SP) 800-218r1 (Revision 1), Secure Software Development Framework (SSDF) Version 1.2: Recommendations for Mitigating the Risk of Software Vulnerabilities, per Executive Order 14306. This document describes new and improved practices, tasks, and examples for the secure and reliable development, delivery, and improvement of software. Please submit your feedback before the comment period ends on January 30^th.                        

Few software development life cycle (SDLC) models explicitly address software security in detail, so secure software development practices usually need to be added to each SDLC model. SP 800-218 recommends the SSDF, which is a core set of high-level secure software development practices that can be integrated into each SDLC implementation. Following these practices should help software producers reduce the number of vulnerabilities in released software, mitigate the potential impacts of the exploitation of undetected or unaddressed vulnerabilities, and address the root causes of vulnerabilities to prevent future recurrences. Because the framework provides a common vocabulary for secure software development, software acquirers can also use it to foster communications with suppliers in acquisition processes and other management activities.

The public comment period is open through January 30, 2026. See the publication details for a copy of the draft and instructions for submitting comments.

NIST Cybersecurity and Privacy Program
Questions and comments can be directed to: ssdf@nist.gov
CSRC Website questions: csrc-inquiry@nist.gov