Cybersecurity Frameworks & Standards For Securing Software Supply Chains

Google SLSA, announced in mid-2021, is a framework for ensuring the integrity of software artifacts throughout the software supply chain.

With its creation spurred by executive order 16025, NIST SSDF is a cybersecurity framework designed to help insure the integrity of critical software infrastructure. While compulsory for federal agencies, this framework may be applied to any government, private, public, or non-profit organization.

OWASP SAMM is short for the Software Assurance Maturity Model. It was created to help organizations formulate and implement a strategy for software security.

PCI DSS is a security framework first introduced in 2004 and is required by the contract for those handling cardholder data. This standard was created to increase controls around cardholder data to reduce credit card fraud.

ISO 27001 provides requirements for an information security management system. This report covers a company’s controls and its operating effectiveness.

SOC 2 Type II is an audit on how a cloud-based service provider handles sensitive information. This report covers a company’s controls and its operating effectiveness.

The Federal Risk and Authorization Management Program (FedRAMP) provides a standardized approach to security authorizations for Cloud Service Offerings. This report covers a company’s controls and its operating effectiveness.

MITRE’s System of Trust (SoT) is a recently announdced framework designed to help evaluate suppliers, supplies, and service providers; this is done to help mitigate software supply chain attacks. MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations, and has helped formulate the SoT.