CybersecurityConnected & Cyber-Physical Devices Software LifecycleSSDF

Secure Software Development Framework

NIST SP 800-218, a framework of secure software development practices that is referenced by EO 14028 and increasingly by medical device guidance.

Reviewed by Christian Espinosa, Founder, Blue Goat CyberLast reviewed June 20, 2026

Definition

The Secure Software Development Framework (SSDF), published as NIST SP 800-218, is a set of fundamental, sound, secure software development practices grouped into four practice groups: Prepare the Organization (PO), Protect the Software (PS), Produce Well-Secured Software (PW), and Respond to Vulnerabilities (RV). Each practice has tasks, implementation examples, and references that map to common secure-development standards (OWASP SAMM, BSIMM, ISO/IEC 27034, IEC 62443).

What the regulation says

FDA's Cybersecurity in Medical Devices guidance recommends a Secure Product Development Framework (SPDF) and explicitly accepts SSDF, IEC 81001-5-1, ISO/IEC 27034, and similar frameworks as evidence. The Office of Management and Budget M-22-18 makes SSDF attestation required for U.S. federal software procurement.

What this means in practice

SSDF gained urgency through Executive Order 14028 (Improving the Nation's Cybersecurity), which made SSDF conformance attestation a requirement for software sold to the U.S. federal government. For medical device manufacturers, SSDF is now the most widely accepted vocabulary for describing your secure development lifecycle in a 510(k) or PMA cybersecurity submission. SSDF practices are largely a superset of IEC 81001-5-1 §5, citing both demonstrates breadth and medical-specific depth.

Common pitfalls

•Adopting SSDF in name only, the framework expects measurable practices with evidence (e.g., PW.4 'Reuse Existing, Well-Secured Software When Feasible' requires component selection criteria and provenance records).
•Conflating SSDF with SPDF, SPDF is FDA's umbrella term; SSDF is one specific framework that can satisfy an SPDF requirement.
•Forgetting RV (Respond to Vulnerabilities), many manufacturers' SSDF programs are strong on development but weak on post-market response.

Primary references

3 sources

Link health: 3 verified· last checked 2026-06-20

NIST·1HSCC·1CISA·1

Inline markers like [1] jump to the matching reference above.

On this term

Category: Cybersecurity
Acronym: SSDF
Sources: 3
Updated: 6/20/2026

Compare with another term

Learn in 60 seconds

NIST SP 800-218, a framework of secure software development practices that is referenced by EO 14028 and increasingly by medical device guidance.

·SSDF gained urgency through Executive Order 14028 (Improving the Nation's Cybersecurity), which made SSDF conformance attestation a requirement for software sold to the U.S.
·federal government.
·For medical device manufacturers, SSDF is now the most widely accepted vocabulary for describing your secure development lifecycle in a 510(k) or PMA cybersecurity submission.

Remember this

Watch out: Adopting SSDF in name only, the framework expects measurable practices with evidence (e.g., PW.4 'Reuse Existing, Well-Secured Software When Feasible' requires component selection criteria and provenance records).

Related terms

You may also need

Auto-suggested from Cybersecurity and shared keywords.

All Cybersecurity terms

From the Blue Goat network

Related resources and services on this topic.