PS.3.2—Collect, safeguard, maintain, and share provenance data for all components of each software release (e.g., in a software bill of materials [SBOM]).
PS.3
>Control Description
Collect, safeguard, maintain, and share provenance data for all components of each software release (e.g., in a software bill of materials [SBOM]).
>Practice: PS.3
Archive and Protect Each Software Release
Preserve software releases in order to help identify, analyze, and eliminate vulnerabilities discovered in the software after release.
>Notional Implementation Examples
- 1.Make the provenance data available to software acquirers in accordance with the organization’s policies, preferably using standards-based formats.
- 2.Make the provenance data available to the organization’s operations and response teams to aid them in mitigating software vulnerabilities.
- 3.Protect the integrity of provenance data, and provide a way for recipients to verify provenance data integrity.
- 4.Update the provenance data every time any of the software’s components are updated.
>Cross-Framework References
Mappings to related frameworks and standards from NIST SP 800-218
Ask AI
Configure your API key to use AI features.