Glossary of Compliance

Compliance Glossary

Our list of curated compliance glossary offers everything you to know about compliance in one place.

Glossary » NIST » NIST Secure Software Development Framework (SSDF)

NIST Secure Software Development Framework (SSDF)

The NIST Secure Software Development Framework, or NIST SP 800-218, is a set of practices employed by NIST to be embedded in the development cycle of software. The framework promotes the concept of “security-by-design,” which supports developers in discovering and solving vulnerabilities at every stage of development. This approach reduces the chances that released software harbors undiscovered vulnerabilities and actively addresses the root causes of those vulnerabilities to make the software more resilient.

There are four core activities of the SSDF:

  1. Prepare the Organization: It focuses on establishing a culture that is security-oriented and preparing training programs for the security teams based on security best practices.
  2. Protect the Software: This phase of the handbook tells organizations what should be done to protect the software throughout its lifecycle and includes secure coding practices, code review, and more.
  3. Produce Well-Secured Software: In this phase, defects are discovered and fixed at design stage and tested continuously at the time of development.
  4. Address Vulnerabilities: This involves patch management and incident responses in a way that every vulnerability found can be solved and addressed to maintain the integrity and security of the software even after release.

The SSDF accommodates other NIST frameworks into its system to thereby create a holistic approach for software security.

Additional reading

Ultimate Guide to GRC (Governance, Risk, and Compliance)

TL,DR: GRC brings governance, risk management, and compliance into one coordinated operating model. Governance sets direction, risk identifies exposure, and compliance keeps obligations audit-ready. The article explains GRC benefits, implementation steps, frameworks, and why siloed work fails. Co-ordinating people, processes, and technology while managing risks and staying compliant is easier said than done. Businesses often…

A Detailed Overview Of PCI DSS Compensating Controls

If your business handles, stores, transmits, manages, or processes customers’ payment card information, it must comply with PCI DSS (Payment Card Industry Data Security Standard). This is an information security standard that outlines measures and controls for organizations to protect sensitive card details while processing transactions.  Implementing stringent compliance is not a piece of cake…

GRC Integrated Risk Management: Bridging Compliance and Strategic Risk

TL,DR: GRC integrated risk management combines compliance discipline with enterprise-wide risk visibility. It aligns risk work with business decisions instead of treating compliance as the endpoint. The article covers GRC versus IRM, shared data, monitoring, cross-team ownership, and early issue detection. GRC is a long-established discipline that has shaped how organizations set policies, measure risk,…

Sprinto: Your growth superpower

Use Sprinto to centralize security compliance management – so nothing
gets in the way of your moving up and winning big.