--- title: "NIST SP 800-218 SSDF Self-Attestation Workflow" canonical_url: "https://www.sorena.io/artifacts/global/nist-sp-800-218-ssdf/ssdf-self-attestation-workflow" source_url: "https://www.sorena.io/artifacts/global/nist-sp-800-218-ssdf/ssdf-self-attestation-workflow" author: "Sorena AI" description: "A practical NIST SP 800-218 SSDF Self-Attestation Workflow with steps, owners, evidence fields, decisions, and source-linked review triggers." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "NIST SP 800-218 SSDF" - "SSDF Self-Attestation Workflow" - "workflow" - "checklist" - "template" - "evidence" - "NIST SP 800-218" - "SSDF" - "Secure software development" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # NIST SP 800-218 SSDF Self-Attestation Workflow A practical NIST SP 800-218 SSDF Self-Attestation Workflow with steps, owners, evidence fields, decisions, and source-linked review triggers. *Workflow* *GLOBAL* *NIST SP 800-218 SSDF* ## NIST SP 800-218 SSDF SSDF Self-Attestation Workflow Use the cited NIST sources to turn framework language into owners, evidence, review cadence, and decisions that a reader can act on. This page explains how to structure a self-attestation workflow for NIST SP 800-218 SSDF. Self-attestation is a way to record which SSDF practices a software supplier, developer, or internal team says it follows, what evidence supports that claim, and who reviews or approves it. Use this workflow when you need a simple, repeatable way to track scope, evidence, decisions, and follow-up across procurement, software releases, control reviews, or incident response. ## Workflow steps for attestation evidence and approvals Use the table-like bullets below as the minimum workflow structure. Expand them only when the scope or risk requires more depth. - 1 | Intake | Owner: requester and software security owner | Evidence: scoped request, system or supplier name, business objective, source question. - 2 | Source selection | Owner: risk or control lead | Evidence: external URL, short quote, applicability rationale, exclusions. - 3 | Evidence collection | Owner: implementation owner | Evidence: policy, test result, contract clause, scan output, incident log, or assessment record. - 4 | Decision | Owner: accountable executive or delegated risk owner | Evidence: approve, remediate, defer, accept risk, or escalate. - 5 | Review | Owner: assurance lead | Evidence: review date, next trigger, changes, residual risk, and open actions. Sources for this answer: - [NIST SP 800-218 SSDF v1.1](https://doi.org/10.6028/NIST.SP.800-218?ref=sorena.io) - Primary NIST source for the Secure Software Development Framework. - [NIST SP 800-53 Rev. 5 Controls](https://doi.org/10.6028/NIST.SP.800-53r5?ref=sorena.io) - Primary NIST source for the integrated security and privacy control catalog. - [NIST SP 800-161 Rev. 1 Update 1 C-SCRM](https://doi.org/10.6028/NIST.SP.800-161r1-upd1?ref=sorena.io) - Primary NIST source for cybersecurity supply chain risk management practices. *Recommended next step* *Placement: after the practical workflow* ## Put this NIST SSDF guidance into practice Use the cited sources to make this page operational: define the exact SSDF scope, assign owners, list required artifacts, and set the review gate before moving forward. - [Open Assessment Autopilot for NIST SSDF](/solutions/assessment.md): Create source-linked tasks, evidence requests, and review checkpoints for this NIST SSDF scope. - [Review this NIST SSDF scope with Sorena](/contact.md): Check source coverage, ownership, evidence gaps, and next steps before publishing or operationalizing the work. ## Decision points for attestation evidence and approvals The workflow should force explicit decisions where teams usually leave ambiguity. Each decision should cite the source and explain what evidence is enough. - Is the scope enterprise-wide, system-specific, supplier-specific, software-release-specific, or incident-specific? - Does the source create a required action, a recommended practice, or an informative reference? - What evidence demonstrates implementation and what evidence only demonstrates intent? - Who can accept residual risk and what escalation path applies? Sources for this answer: - [NIST SP 800-218 SSDF v1.1](https://doi.org/10.6028/NIST.SP.800-218?ref=sorena.io) - Primary NIST source for the Secure Software Development Framework. - [NIST SP 800-53 Rev. 5 Controls](https://doi.org/10.6028/NIST.SP.800-53r5?ref=sorena.io) - Primary NIST source for the integrated security and privacy control catalog. - [NIST SP 800-161 Rev. 1 Update 1 C-SCRM](https://doi.org/10.6028/NIST.SP.800-161r1-upd1?ref=sorena.io) - Primary NIST source for cybersecurity supply chain risk management practices. ## Evidence fields for attestation records and approvals A reusable workflow is only useful if the evidence fields are consistent enough for audits, customer assurance, and independent review. - Source URL and quote supporting the claim. - Claim text in reader language. - Owner, reviewer, due date, and review trigger. - Evidence artifact, storage location, version, and collection method. - Gap, corrective action, exception, or risk acceptance status. Sources for this answer: - [NIST SP 800-218 SSDF v1.1](https://doi.org/10.6028/NIST.SP.800-218?ref=sorena.io) - Primary NIST source for the Secure Software Development Framework. - [NIST SP 800-53 Rev. 5 Controls](https://doi.org/10.6028/NIST.SP.800-53r5?ref=sorena.io) - Primary NIST source for the integrated security and privacy control catalog. - [NIST SP 800-161 Rev. 1 Update 1 C-SCRM](https://doi.org/10.6028/NIST.SP.800-161r1-upd1?ref=sorena.io) - Primary NIST source for cybersecurity supply chain risk management practices. ## Primary sources - [NIST SP 800-218 SSDF v1.1](https://doi.org/10.6028/NIST.SP.800-218?ref=sorena.io) - Primary NIST source for the Secure Software Development Framework. - Quote: "core set of high-level secure software development practices" - [NIST SP 800-53 Rev. 5 Controls](https://doi.org/10.6028/NIST.SP.800-53r5?ref=sorena.io) - Primary NIST source for the integrated security and privacy control catalog. - Quote: "catalog of security and privacy controls" - [NIST SP 800-161 Rev. 1 Update 1 C-SCRM](https://doi.org/10.6028/NIST.SP.800-161r1-upd1?ref=sorena.io) - Primary NIST source for cybersecurity supply chain risk management practices. - Quote: "identifying, assessing, and mitigating cybersecurity risks" ## Related Topic Guides - [How should teams handle code scanning under NIST SP 800-218 SSDF?](/artifacts/global/nist-sp-800-218-ssdf/faq/code-scanning.md): How should teams handle code scanning under NIST SP 800-218 SSDF? Clear, source-linked guidance with practical evidence checks, owner decisions, and implementation steps. - [How should teams handle components under NIST SP 800-218 SSDF?](/artifacts/global/nist-sp-800-218-ssdf/faq/components.md): How should teams handle components under NIST SP 800-218 SSDF? Clear, source-linked guidance with practical evidence checks, owner decisions, and implementation steps. - [How should teams handle release gates under NIST SP 800-218 SSDF?](/artifacts/global/nist-sp-800-218-ssdf/faq/release-gates.md): How should teams handle release gates under NIST SP 800-218 SSDF? Clear, source-linked guidance with practical evidence checks, owner decisions, and implementation steps. - [How should teams handle threat modeling under NIST SP 800-218 SSDF?](/artifacts/global/nist-sp-800-218-ssdf/faq/threat-modeling.md): How should teams handle threat modeling under NIST SP 800-218 SSDF? Clear, source-linked guidance with practical evidence checks, owner decisions, and implementation steps. - [How should teams handle vulnerability disclosure under NIST SP 800-218 SSDF?](/artifacts/global/nist-sp-800-218-ssdf/faq/vulnerability-disclosure.md): How should teams handle vulnerability disclosure under NIST SP 800-218 SSDF? Clear, source-linked guidance with practical evidence checks, owner decisions, and implementation steps. - [NIST SP 800-218 SSDF compliance playbook](/artifacts/global/nist-sp-800-218-ssdf/compliance.md): Practical NIST SP 800-218 SSDF compliance playbook guidance with source-linked decisions, owner checklists, evidence records, and implementation steps. - [NIST SP 800-218 SSDF Evidence for Audits Guide](/artifacts/global/nist-sp-800-218-ssdf/evidence-for-audits.md): Practical NIST SP 800-218 SSDF Evidence for Audits Guide guidance with source-linked decisions, owner checklists, evidence records, and implementation steps. - [NIST SP 800-218 SSDF FAQ: practical implementation questions](/artifacts/global/nist-sp-800-218-ssdf/faq.md): Standalone NIST SP 800-218 SSDF FAQ questions with source-linked answers, implementation checklists, and evidence guidance. - [NIST SP 800-218 SSDF PO, PS, PW, and RV Practice Deep Dive](/artifacts/global/nist-sp-800-218-ssdf/practice-groups.md): Practical NIST SP 800-218 SSDF PO, PS, PW, and RV Practice Deep Dive guidance with source-linked decisions, owner checklists, evidence records, and implementation steps. - [NIST SP 800-218 SSDF SBOM and Provenance Workflow](/artifacts/global/nist-sp-800-218-ssdf/sbom-and-provenance-workflow.md): Practical NIST SP 800-218 SSDF SBOM and Provenance Workflow guidance with source-linked decisions, owner checklists, evidence records, and implementation steps. - [NIST SP 800-218 SSDF Secure Development Practices Guide](/artifacts/global/nist-sp-800-218-ssdf/secure-development-practices.md): Practical NIST SP 800-218 SSDF Secure Development Practices Guide guidance with source-linked decisions, owner checklists, evidence records, and implementation steps. - [NIST SP 800-218 SSDF Self-Attestation Guide](/artifacts/global/nist-sp-800-218-ssdf/ssdf-self-attestation.md): Practical NIST SP 800-218 SSDF Self-Attestation Guide guidance with source-linked decisions, owner checklists, evidence records, and implementation steps. - [NIST SSDF vs NIST SP 800-53 SA controls: practical side-by-side comparison](/artifacts/global/nist-sp-800-218-ssdf/ssdf-vs-nist-800-53-sa-controls.md): Compare NIST SSDF and NIST SP 800-53 SA controls with side-by-side scope, owner, trigger, evidence, cadence, assurance, and decision-rule rows. - [NIST SSDF vs SLSA: practical side-by-side comparison](/artifacts/global/nist-sp-800-218-ssdf/ssdf-vs-slsa.md): Compare NIST SSDF and SLSA with side-by-side scope, owner, trigger, evidence, cadence, assurance, and decision-rule rows. - [NIST SSDF vs SP 800-53 SA controls: practice-to-control mapping table](/artifacts/global/nist-sp-800-218-ssdf/ssdf-vs-800-53-sa-controls.md): Compare NIST SSDF and NIST SP 800-53 SA controls with side-by-side scope, owner, trigger, evidence, cadence, assurance, and decision-rule rows. - [What build integrity should teams keep for NIST SSDF SP 800-218?](/artifacts/global/nist-sp-800-218-ssdf/faq/build-integrity.md): What build integrity should teams keep for NIST SSDF SP 800-218. Clear, source-linked guidance with practical evidence checks, owner decisions, and implementation steps. - [What secure coding evidence should teams keep for NIST SSDF SP 800-218?](/artifacts/global/nist-sp-800-218-ssdf/faq/secure-coding-evidence.md): What secure coding evidence should teams keep for NIST SSDF SP 800-218. Clear, source-linked guidance with practical evidence checks, owner decisions, and implementation steps. - [Why does provenance matter in NIST SP 800-218 SSDF implementation?](/artifacts/global/nist-sp-800-218-ssdf/faq/provenance.md): Provenance matters in NIST SP 800-218 SSDF implementation because teams need reviewable evidence for source, dependencies, build process, approvals, and software artifact lineage. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/global/nist-sp-800-218-ssdf/ssdf-self-attestation-workflow