| Scope and covered activity | SSDF defines the secure software development practices to apply across the SDLC. Use NIST SSDF to show which product, release, supplier, or process is in scope before you map any evidence. | SLSA defines supply-chain integrity levels and provenance for build and release artifacts. Use SLSA when the question is whether the build or artifact chain can be trusted and verified before deployment. | For scope, write separate acceptance criteria for NIST SSDF and SLSA; reuse evidence only where it proves both claims without changing the meaning. |
|---|
| Who must act | Assign NIST SSDF work to the owner who can approve the scoped risk, control, software, supplier, incident, or governance decision and provide evidence. | Assign SLSA work to the owner who controls that program, contract, certification, legal obligation, or operational procedure. | A shared team can support both sides, but the accountable owner should be named separately for NIST SSDF and SLSA. |
|---|
| Trigger or threshold | NIST SSDF is adopted when an organization needs a secure software development practice set for a product, release, supplier, vulnerability response, or software acquisition workflow. | SLSA is adopted when a team needs stronger software supply-chain integrity, especially build provenance, artifact traceability, and tamper-resistance expectations for delivered software. | Record the adoption driver in plain language so product, engineering, security, risk, procurement, and assurance teams know when the comparison must be rerun. |
|---|
| Core obligations | NIST SSDF requires organizations to implement practices across PO (organizational preparation), PS (software protection), PW (well-secured software production), and RV (vulnerability response), and to record evidence for each practice showing it was applied to the specific software release in scope. | SLSA requires build platforms to produce signed provenance attestations for every artifact, meet Build Level requirements (L1: provenance exists, L2: hosted build, L3: hardened build), and allow consumers to verify artifact integrity and provenance before deployment. | Turn the comparison into an action list with separate duties, shared controls, and unresolved gaps, then cite the source that supports each reused artifact. |
|---|
| Evidence and records | NIST SSDF: keep the evidence that proves this side of the decision, including cited text, registers, policies, test records, contracts, notices, reports, approvals, or audit artifacts. | SLSA: keep comparator evidence in a distinct record set and link only the artifacts that genuinely satisfy both source-linked requirements. | Keep a traceable evidence matrix: source, claim, owner, artifact, review date, and whether the evidence satisfies NIST SSDF, SLSA, or both. |
|---|
| Timing and cadence | NIST SSDF: capture the application date, commencement date, transition period, reporting clock, review cadence, remediation window, or certification renewal that controls this side. | SLSA: track the comparator schedule separately so a later deadline, recurring audit, or incident timer is not hidden by the other workstream. | Use separate clocks for each side and surface the earliest decision date, longest retention or review duty, and any transition period that changes implementation sequencing. |
|---|
| Enforcement or assurance route | NIST SSDF assurance usually comes from internal engineering governance, secure development reviews, supplier assurance, vulnerability management evidence, customer requests, or contractual commitments. | SLSA assurance usually comes from provenance records, build-platform controls, artifact verification, policy checks, supplier expectations, or customer and contract reviews. | Escalate when assurance routes differ because engineering leadership, risk owners, assessors, customers, or contract counterparties may require different proof. |
|---|
| Overlap and reuse | NIST SSDF: reuse controls only where the source-linked duty, evidence standard, owner, and timing align with the comparator; otherwise keep a bridge note. | SLSA can reuse evidence from the other side only when the same fact pattern, system boundary, control, owner, and source-linked requirement are genuinely aligned. | Reuse evidence carefully: overlap can reduce duplicated work, but it does not merge scope, actors, deadlines, penalties, or public-facing wording. |
|---|
| Practical decision rule | Use NIST SSDF when the deliverable is a secure software development attestation for a FISMA system, a FedRAMP package, a vendor self-attestation under EO 14028, or a mapping of developer practices to SSDF PO/PS/PW/RV task IDs. | Use SLSA when the deliverable is a build provenance attestation, a supply chain integrity level claim (SLSA L1/L2/L3), or an artifact verification step that checks the signed provenance record produced by the build platform against a declared policy. | When both apply, write one decision record with two source-linked claims instead of forcing one framework to stand in for the other. |
|---|