Archival and Protection of Each Software Release, v1.1
Specifies requirements in accordance with NIST Secure Software Development Framework (SSDF), version 1.1, Practice PS.3: Archival and Protection of Each Software Release. Requires an organization to preserve software releases in order to help identify, analyze, and eliminate vulnerabilities discovered in the software after release.
Assessment Steps (2)
|
1
Secure Archival of Files and Data Per Release (SecureArchivalofFilesandDataPerRelease)
Does the organization securely archive the necessary files and supporting data (e.g., integrity verification information, provenance data) to be retained for each software release?
Artifact
A1
Provide evidence (e.g. organizational policies, procedures, compliance/assessment reports, etc.) and supporting notes as appropriate to support the assessor's response to this assessment step.
|
|
2
Software Bill of Materials (SoftwareBillofMaterials)
Does the organization collect, safeguard, maintain, and share provenance data for all components of each software release (e.g., in a software bill of materials)?
Artifact
A1
Provide evidence (e.g. organizational policies, procedures, compliance/assessment reports, etc.) and supporting notes as appropriate to support the assessor's response to this assessment step.
|
Conformance Criteria (2)
|
Secure Archival of Files and Data Per Release
The organization must securely archive the necessary files and supporting data (e.g., integrity verification information, provenance data) to be retained for each software release.
Citation
SSDF
Task PS.3.1
|
|
Software Bill of Materials
The organization must collect, safeguard, maintain, and share provenance data for all components of each software release (e.g., in a software bill of materials).
Citation
SSDF
Task PS.3.2
|