Compliance Framework

NIST SSDF v1.1 — secure development, enforced.

The NIST Secure Software Development Framework (SP 800-218) defines practices for reducing software vulnerabilities throughout the development lifecycle. MergeGuide maps SSDF practices to code-level enforcement gates — turning framework guidance into automated policy.

SSDF and the Executive Order on software security

NIST SP 800-218 (SSDF) emerged directly from Executive Order 14028, which required NIST to publish guidance on secure software development practices for software sold to the federal government. Today, SSDF compliance is expected by federal agencies and increasingly demanded by enterprise procurement teams.

The SSDF organizes practices into four groups: Prepare the Organization (PO), Protect the Software (PS), Produce Well-Secured Software (PW), and Respond to Vulnerabilities (RV). MergeGuide focuses on the PW practices — the ones that require demonstrable code-level controls.

MergeGuide includes policies that guide implementation of NIST SSDF v1.1 requirements — automating PW practices at IDE, AI assistant, git hook, and PR gate layers with evidence artifacts for every evaluation.

PW practice coverage

MergeGuide templates cover key SSDF Produce Well-Secured Software (PW) practices:

  • PW.1 — Design software to meet security requirements: detection at design artifact level
  • PW.4 — Reuse existing, well-secured software: dependency vulnerability scanning
  • PW.5 — Create source code by adhering to coding practices: OWASP-class detection
  • PW.6 — Configure the compilation, interpreter, and build processes securely
  • PW.7 — Review and/or analyze human-readable code to identify vulnerabilities
  • PW.8 — Test executable code to identify vulnerabilities: PR gate validation
  • PW.9 — Configure software to have secure settings by default

SSDF detection patterns

SSDF Practice What MergeGuide Detects Severity
PW.5 — Secure codingSQL injection — unparameterized queries with user-controlled inputCritical
PW.5 — Secure codingCommand injection via unsanitized shell execution callsCritical
PW.5 — Secure codingHardcoded secrets, API keys, and credentials in source codeCritical
PW.5 — Secure codingUse of deprecated or broken cryptographic algorithmsHigh
PW.9 — Secure defaultsDebug mode enabled in production configurationHigh
PW.9 — Secure defaultsSecurity headers missing from HTTP response configurationMedium
PW.4 — Reuse secured softwareDirect use of vulnerable dependency versions (where detectable in code)High
🏛️

Federal procurement ready

SSDF compliance is increasingly required for software sold to federal agencies. MergeGuide's SSDF template generates PW practice attestation evidence — giving your sales team documented proof of compliance for procurement questionnaires.

🤖

AI code generation coverage

SSDF PW.5 applies to all code — including code generated by AI assistants. MergeGuide's MCP server injects your SSDF policy set into AI coding tools, ensuring AI-generated code adheres to secure coding practices before it reaches your codebase.

📄

Attestation artifacts

Every PR Gate evaluation produces an immutable artifact mapping findings to SSDF practice IDs. These artifacts support SSDF self-attestation requirements and provide auditable evidence that PW practices operated throughout your development cycle.

Selling software to federal agencies?

See how MergeGuide automates SSDF practice enforcement and generates attestation evidence in a live demo.

Book a demo Talk to sales