The frameworks used in the foundation and mapping of P-SSCRM controls, with links to the mapping
references, are:
- Proactive Software Supply Chain Risk Management (controls)
- NIST Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (800-161r1) - only the subset of controls specifically identified in this document as mapping back to the Executive Order (controls)
- Building Security In Maturity Model Version 15 (BSIMM) (controls)
- Cloud Native Computing Foundation – Software Supply Chain Best Practices (CNCF) (controls)
- Executive Order 14028 (EO) (controls)
- OpenSSF Scorecard metrics (controls)
- Open Web Application Security Project Software Component Verification Standard Version 1.0 (OWASP-SCVS) (controls)
- Supply-chain Levels for Software Artifacts v1.2 (SLSA) (controls)
- NIST Secure Software Development Framework version 1.1 (SSDF) (controls)
- NIST Secure Software Development Practices for Gen AI version 1.1 (SSDF-AI) (controls)
- DHS/CISA Secure Software Self-Attestation Common Form (controls)