Comply with NIST's secure software supply chain framework with GitLab

Mar 29, 2022 · 4 min read
Sandra Gittlen GitLab profile

The U.S. government, in March, released an update to its framework to secure agencies’ software supply chains, which are under increasing risk of attack. The National Institute of Standards and Technology (NIST) unveiled the Secure Software Development Framework (SSDF) 1.1, which calls for tighter controls throughout the software development lifecycle and describes a set of best practices for organizations – and their third-party suppliers – to follow.

The SSDF focuses on how organizations can protect software supply chains, regardless of technology, platform, programming language, or operating environment, in large part by introducing security early in the DevOps process. There are four key practices:

“The goal of the SSDF, in my opinion, is to bring all agencies and their suppliers to the same place in terms of secure software development,” says Joel Krooswyk, senior manager of Solutions Architecture at GitLab. “The framework gets everyone on the same page and speaking the same language, which will inevitably help them to be more effective against whatever threats may come.”

While some agencies, such as the Department of Defense and Central Intelligence Agency, might be more sophisticated in the security and compliance of their software supply chains, other public sector organizations are less advanced, using a raft of ad-hoc legacy applications to manually handle vulnerabilities.

The SSDF undoubtedly will drive all government agencies to direct resources – human and technological – toward automating supply chain security. To ensure that they meet the measure of the framework without overburdening their teams and budgets, organizations should consider deploying GitLab, a single DevOps platform that has security built in early in the development lifecycle, end-to-end, and with maximum visibility. 

Here’s how GitLab addresses the specific practices within the SSDF:

1. Prepare the organization

GitLab helps organizations ensure that their people, processes, and technology are prepared to perform security software development, in line with SSDF best practices.

The GitLab DevOps platform features:

2. Protect the software

The SSDF guides organizations to protect all components of their software from tampering and unauthorized access.

GitLab helps organizations accomplish this through the use of:

3. Produce well-secured software

According to the SSDF, organizations should produce well-secured software with minimal security vulnerabilities in its releases.

The GitLab DevOps platform is purpose-built for this best practice and includes:

4. Respond to vulnerabilities

The SSDF wants organizations to be able to identify residual vulnerabilities in their software releases and respond appropriately to address those vulnerabilities and prevent similar ones from occurring in the future.

GitLab enables organizations to find and fix vulnerabilities early in the development process. The GitLab DevOps platform also features:

Using GitLab's DevOps platform, government agencies, and their suppliers, can apply the best practices set forth in the SSDF and ensure the software supply chain meets the requirements of other mandates through continuous compliance.

Try GitLab Ultimate for free

“The U.S. government's Secure Software Development Framework has four key practices. GitLab has features to address them all.” – Sandra Gittlen

Click to tweet

Edit this page View source