P-SSCRM Documentation

E.1.1 Safely store release artifacts

Control Details

Objective

Preserve release artifacts to help in the identification and analysis of vulnerabilities discovered after release.

Definition

Securely archive the necessary files and supporting data (e.g., integrity verification information, provenance data, attestations, metadata) to be retained for each software release.

Assessment Questions

  1. What files and supporting data (like integrity validation, provenance, configuration files, and metadata) do you securely archive and retain for each software release?

Reference sources

  1. EO 4e(iii) 4e(vi) 4e(x)
  2. SSDF PS.3.1
  3. SSDF-AI PS.3.1
  4. SLSA Source L3: Signed and auditable provenance
  5. OWASP-SCVS 6.3
  6. CNCF-SSC SC-V Authenticate and monitor repository activity
  7. SAMM I-SB-1-A