CybersecurityConnected & Cyber-Physical Devices Software LifecycleSLSA /salsa/

Supply-chain Levels for Software Artifacts

OpenSSF framework defining progressive levels of build-system integrity for software supply chain security, focused on tamper-resistance of the build.

Reviewed by Christian Espinosa, Founder, Blue Goat CyberLast reviewed June 20, 2026

Definition

SLSA (Supply-chain Levels for Software Artifacts) is an Open Source Security Foundation (OpenSSF) specification that defines four progressive maturity levels for the integrity of a software build process. Each level adds requirements: SLSA Level 1 asks for a scripted build and provenance; Level 2 requires a hosted build service that generates signed provenance; Level 3 requires the build environment to be hardened and non-falsifiable; Level 4 (still evolving) requires a hermetic, two-person-reviewed build. SLSA's contribution is provenance, verifiable attestations of how, where, and from what sources an artifact was built.

What the regulation says

Not yet directly cited by FDA, but referenced by CISA's Software Supply Chain Security guidance and accepted as evidence under NIST SSDF practice PS.3 (Verify Third-Party Software) and PO.3 (Implement Supporting Toolchains). Expect SLSA references to appear in future FDA cybersecurity guidance updates.

What this means in practice

SLSA complements SBOM. An SBOM tells you what is inside an artifact; SLSA provenance tells you whether the artifact was built from the sources it claims, in a build environment that wasn't tampered with. For medical device manufacturers concerned about XZ-Utils-style supply-chain compromises, SLSA Level 2+ for first-party builds and SLSA-verifiable provenance from upstream component suppliers is the strongest available defense.

Common pitfalls

•Equating SBOM with supply-chain security, without provenance, an SBOM can be fabricated.
•Targeting SLSA Level 4 immediately, most organizations start at Level 1-2 and progress as their build infrastructure matures.
•Ignoring third-party SLSA provenance when selecting components, the framework's value compounds when consumed and produced.

Primary references

3 sources

Link health: 2 verified 1 bot-blocked· last checked 2026-06-20

OpenSSF·1CISA·1FDA·1

Inline markers like [1] jump to the matching reference above.

On this term

Category: Cybersecurity
Acronym: SLSA
Sources: 3
Updated: 6/20/2026

Compare with another term

Learn in 60 seconds

OpenSSF framework defining progressive levels of build-system integrity for software supply chain security, focused on tamper-resistance of the build.

·SLSA complements SBOM.
·An SBOM tells you what is inside an artifact; SLSA provenance tells you whether the artifact was built from the sources it claims, in a build environment that wasn't tampered with.
·SLSA's contribution is provenance, verifiable attestations of how, where, and from what sources an artifact was built.

Remember this

Watch out: Equating SBOM with supply-chain security, without provenance, an SBOM can be fabricated.

Related terms

You may also need

Auto-suggested from Cybersecurity and shared keywords.

All Cybersecurity terms

From the Blue Goat network

Related resources and services on this topic.