feat: add NIST SP 800-218 Secure Software Development Framework skill

[sjackson0109]

NIST SP 800-218 — Secure Software Development Framework (SSDF)

Source: NIST Special Publication 800-218, Version 1.1, February 2022
CSRC: https://csrc.nist.gov/publications/detail/sp/800-218/final

---

Files Added

plugins/nist-sp-800-218/
  .claude-plugin/
    plugin.json
  skills/
    nist-sp-800-218/
      SKILL.md
      references/
        ssdf-practices.md
        secure-development-controls.md
        implementation-guidance.md

---

Framework Coverage

1. SSDF purpose and scope: reduce software vulnerabilities, address root causes, support repeatable measurement; applies to all software types (COTS, open source, custom-developed, SaaS)
2. Four practice groups: PO (Prepare the Organisation, 5 practices), PS (Protect the Software, 3 practices), PW (Produce Well-Secured Software, 7 active practices), RV (Respond to Vulnerabilities, 3 practices); 19 active practices total (PW.3 and PW.8 removed in SSDF v1.1)
3. PO.1 Security Requirements: organisational and project-level requirements; OWASP ASVS risk tiers; threat modelling as requirements derivation method; CWE Top 25 as reference
4. PO.2 Roles and Responsibilities: role definitions with security responsibilities; training curriculum by role; security champions programme establishment
5. PO.3 Supporting Toolchains: toolchain coverage by SDLC phase; CI/CD pipeline gate configuration with thresholds and blocking conditions; approved tool catalogue
6. PO.4 Security Check Criteria: SDLC phase-gate checklists for 5 phase transitions; severity-to-gate-impact mapping; exception and risk acceptance process
7. PO.5 Secure Environments: dev/staging/production separation; developer workstation security baseline; build environment hardening (ephemeral agents, OIDC authentication, secrets manager integration)
8. PS.1 Protect Code: repository RBAC; branch protection rules; CODEOWNERS; secrets scanning (pre-commit + CI); secrets incident response (key rotation, history purging)
9. PS.2 Integrity Verification: code signing (Authenticode, Apple Developer ID, GPG, cosign); SHA-256/384/512 checksums; HSM/KMS key storage; SLSA framework levels with provenance attestation JSON
10. PS.3 Archive Releases: per-release security package structure (artifacts, SBOM, scan reports, provenance, approvals); immutable storage; retention requirements
11. PW.1 Secure Design: 5-step threat modelling process with STRIDE applied to DFD elements; DREAD/CVSS threat rating; mitigation disposition; secure design principles catalogue
12. PW.2 Design Review: architecture review board gate; design review checklist; risk register for design-level findings
13. PW.4 Component Reuse: component health evaluation criteria table with reject/warn/accept thresholds; OpenSSF Scorecard check inventory with SSDF alignment; dependency version pinning strategy
14. PW.5 Secure Coding: language-specific secure coding standards and primary CWEs for 8 languages (C/C++, Java, Python, JavaScript/TypeScript, Go, .NET/C#, Ruby, PHP); 7 universal secure coding principles
15. PW.6 Build Hardening: C/C++ compiler security flags; ASLR/PIE; Control Flow Integrity; JVM security; container image hardening (non-root, read-only rootfs, capability dropping)
16. PW.7 Code Review: mandatory security-focused review scope; SAST finding priority mapping by severity; automated code review integration in PR workflow
17. PW.9 Security Testing: test type catalogue (SAST, SCA, secrets, DAST, API, container, IaC, fuzz, penetration test, licence); penetration test scope document template; DAST CI integration
18. RV.1 Identify Vulnerabilities: internal and external sources; NVD/CISA KEV/OSV/GitHub Advisory monitoring; VDP template; responsible disclosure process
19. RV.2 Assess and Remediate: CVSS v3.1 base and environmental scoring; remediation SLA by severity (Critical 15 days, High 30 days, Medium 90 days, Low 180 days); patch delivery decision tree; CVD process
20. RV.3 Root Cause Analysis: root cause taxonomy table; RCA record template; training improvement loop; quarterly trend reporting
21. EO 14028 software security requirements table with SSDF practice mapping; OMB M-22-18 and M-23-16 compliance requirements; software attestation form template
22. SBOM: NTIA 7 minimum elements; SPDX, CycloneDX, and SWID formats; SBOM quality dimensions; SBOM-based CVE monitoring workflow
23. Complete SP 800-53 Rev 5 mapping for all 18+ practices across SA, AT, CM, RA, CA, SI, PL, PM, IR control families
24. NIST CSF 2.0 function and category mapping across GV, ID, PR, DE, RS, RC functions
25. ISO 27001:2022 control mapping covering domains 8.25-8.31 and 8.8 plus supporting controls
26. SSDF maturity model (levels 0-4); maturity assessment grid; three-phase roadmap (Foundation 1-3 months, Depth 3-9 months, Optimise 9-18 months)
27. Application risk classification: 4-tier model with scoring criteria
28. SSDF for AI/ML software aligned to NIST SP 800-218A draft supplement
29. Vendor/third-party SSDF requirements: procurement checklist; 6 model contractual clauses

---

Reference Files

ssdf-practices.md

• Complete task-level inventory of all 19 SSDF practices with task IDs and implementation examples
• Security champion programme structure and training curriculum table
• CI/CD pipeline gate configuration with explicit threshold and blocking logic
• SDLC phase-gate checklist (5 gates: requirements → design, design → code, code → test, test → RC, RC → production)
• Developer workstation security baseline table
• Repository branch protection configuration baseline
• Secrets detection patterns and response procedure
• SLSA provenance attestation JSON example
• Per-release security package directory layout
• Threat modelling process with STRIDE element-by-element application
• Component health evaluation criteria with OpenSSF Scorecard check descriptions
• Language-specific secure coding standards table (8 languages, primary CWEs)
• Security testing type catalogue with test purpose, trigger timing, and tool examples
• Penetration test scope document template
• Root cause taxonomy table by CWE, SDLC phase, and failure type
• Root cause analysis record template
• VDP template and CVE monitoring frequency table

secure-development-controls.md

• Annotated DevSecOps pipeline architecture (pre-commit through production monitoring)
• SAST: Semgrep ruleset catalogue; SARIF integration; CodeQL query inventory mapped to CWE and SSDF
• SCA: scanning scope definition; dependency version pinning comparison table; OWASP Dependency-Check CI configuration YAML
• Secrets management: secret type and detection pattern table; OIDC-based pipeline authentication description; supported OIDC integrations by platform
• Container security: image build control table; cosign/Sigstore signing and verification commands; keyless signing explanation
• SBOM: Syft generation commands; SBOM quality dimensions table; SBOM-based CVE monitoring workflow
• EO 14028 / OMB M-22-18 attestation requirements and form language
• DevSecOps security metrics (10 metrics with targets)
• OWASP CI/CD Security Top 10 full mapping to SSDF practices

implementation-guidance.md

• SSDF maturity assessment scale (0–4) and complete practice maturity grid
• Three-phase roadmap with activities, milestones, and success criteria
• Application risk classification (4 tiers, 5-criterion scoring table)
• SSDF compliance evidence requirements per practice
• Federal attestation package requirements and attestation form template
• SSDF to ISO 27001:2022 full mapping table
• SSDF to SP 800-53 Rev 5 control family mapping by practice group
• SSDF to NIST CSF 2.0 mapping
• SSDF for AI/ML software (SP 800-218A alignment)
• Third-party procurement checklist (10 items)
• 6 model contractual SSDF clauses

---

Integration Points

• SP 800-53 Rev 5: SSDF directly implements SA (Software Acquisition), AT (Training), CM (Configuration Management), RA (Risk Assessment), SI (Flaw Remediation), IR control requirements
• SP 800-37 Rev 2 RMF: SSDF practices feed RMF steps 1 (categorise), 2 (select), 3 (implement)
• SP 800-161 Rev 1 C-SCRM: PS practices and PW.4 support supply chain risk management; SBOM requirements align to C-SCRM supplier obligations
• NIST CSF 2.0: SSDF practices map to all six CSF functions (GV, ID, PR, DE, RS, RC)
• ISO 27001:2022: SSDF satisfies Annex A controls 8.25-8.31 (secure development) and 8.8 (vulnerability management)
• EO 14028: SSDF is the designated NIST framework for EO 14028 software supply chain security; OMB M-22-18/M-23-16 require SSDF attestation for federal software procurement
• CISA KEV: RV.1/RV.2 monitoring must include daily CISA KEV feed matching against deployed software component inventory

---

Tests

python -m pytest tests/test_plugin_structure.py -v -k "nist-sp-800-218"

test_plugin_json_exists[nist-sp-800-218] PASSED
test_plugin_json_is_valid[nist-sp-800-218] PASSED
test_plugin_json_required_fields[nist-sp-800-218] PASSED
test_plugin_version_semver[nist-sp-800-218] PASSED
test_skills_directory_exists[nist-sp-800-218] PASSED
test_skills_directory_has_one_skill_folder[nist-sp-800-218] PASSED
test_skill_md_exists[nist-sp-800-218] PASSED
test_skill_md_not_empty[nist-sp-800-218] PASSED
test_no_files_outside_skill_folder[nist-sp-800-218] PASSED
test_references_are_markdown[nist-sp-800-218] PASSED

10 passed, 95 deselected