WorkflowGLOBALNIST SP 800-218 SSDF

NIST SP 800-218 SSDF SSDF Self-Attestation Workflow

A practical NIST SP 800-218 SSDF Self-Attestation Workflow with steps, owners, evidence fields, decisions, and source-linked review triggers.

Use the cited NIST sources to turn framework language into owners, evidence, review cadence, and decisions that a reader can act on.

Back to main artifact Review sources

Author

Sorena AI

Published

May 9, 2026

Updated

May 9, 2026

Sections

Structured answer sets in this page tree.

Primary sources

Cited legal and guidance references.

Publication metadata

Sorena AI

Published May 9, 2026

Updated May 9, 2026

Overview

This page explains how to structure a self-attestation workflow for NIST SP 800-218 SSDF. Self-attestation is a way to record which SSDF practices a software supplier, developer, or internal team says it follows, what evidence supports that claim, and who reviews or approves it. Use this workflow when you need a simple, repeatable way to track scope, evidence, decisions, and follow-up across procurement, software releases, control reviews, or incident response.

Section 1

Workflow steps for attestation evidence and approvals

Use the table-like bullets below as the minimum workflow structure. Expand them only when the scope or risk requires more depth.

1 | Intake | Owner: requester and software security owner | Evidence: scoped request, system or supplier name, business objective, source question.
2 | Source selection | Owner: risk or control lead | Evidence: external URL, short quote, applicability rationale, exclusions.
3 | Evidence collection | Owner: implementation owner | Evidence: policy, test result, contract clause, scan output, incident log, or assessment record.
4 | Decision | Owner: accountable executive or delegated risk owner | Evidence: approve, remediate, defer, accept risk, or escalate.
5 | Review | Owner: assurance lead | Evidence: review date, next trigger, changes, residual risk, and open actions.

Sources for this answer

NIST SP 800-218 SSDF v1.1

Primary NIST source for the Secure Software Development Framework.

NIST SP 800-53 Rev. 5 Controls

Primary NIST source for the integrated security and privacy control catalog.

NIST SP 800-161 Rev. 1 Update 1 C-SCRM

Primary NIST source for cybersecurity supply chain risk management practices.

Recommended next step

Put this NIST SSDF guidance into practice

Use the cited sources to make this page operational: define the exact SSDF scope, assign owners, list required artifacts, and set the review gate before moving forward.

Assessment workflow

Open Assessment Autopilot for NIST SSDF

Create source-linked tasks, evidence requests, and review checkpoints for this NIST SSDF scope.

Explore next step

Talk to Sorena

Review this NIST SSDF scope with Sorena

Check source coverage, ownership, evidence gaps, and next steps before publishing or operationalizing the work.

Explore next step

Section 2

Decision points for attestation evidence and approvals

The workflow should force explicit decisions where teams usually leave ambiguity. Each decision should cite the source and explain what evidence is enough.

Is the scope enterprise-wide, system-specific, supplier-specific, software-release-specific, or incident-specific?
Does the source create a required action, a recommended practice, or an informative reference?
What evidence demonstrates implementation and what evidence only demonstrates intent?
Who can accept residual risk and what escalation path applies?