PS.3.1—Securely archive the necessary files and supporting data (e.g., integrity verification information, provenance data) to be retained for each software release.
PS.3
>Control Description
Securely archive the necessary files and supporting data (e.g., integrity verification information, provenance data) to be retained for each software release.
>Practice: PS.3
Archive and Protect Each Software Release
Preserve software releases in order to help identify, analyze, and eliminate vulnerabilities discovered in the software after release.
>Notional Implementation Examples
- 1.Store the release files, associated images, etc. in repositories following the organization’s established policy. Allow read-only access to them by necessary personnel and no access by anyone else.
- 2.Store and protect release integrity verification information and provenance data, such as by keeping it in a separate location from the release files or by signing the data.
>Cross-Framework References
Mappings to related frameworks and standards from NIST SP 800-218
BSA FSS
PD.1-5
DE.1-2
IA.2
CNCF SSCP
Securing Artefacts—Automation
Controlled Environments
Encryption
Securing Deployments—Verification
EO 14028
4e(iii)
4e(vi)
4e(ix)
4e(x)
IDA SOAR
25
IEC 62443
SM-6
SM-7
NIST CSF
OWASP SCVS
1
3.18
3.19
6.3
PCI SSLC
5.2
6.1
6.2
SAFECode SIC
Vendor Software Delivery Integrity Controls
SP 800-161
SA-8
SA-10
SA-15(11)
SR-4
Ask AI
Configure your API key to use AI features.