By Steve Lipner, Executive Director, SAFECode

Last fall, SAFECode partnered with the Center for Internet Security (CIS) to create a guide to “Security by Design” that provides development organizations with actionable guidance on creating secure software and meeting the requirements of the NIST Secure Software Development Framework (SSDF). We released a document that provides general guidance and an accompanying spreadsheet that describes specific actions to take in response to the tasks in the SSDF. Our intent was that the guide be useful to development organizations, whom it would help decide what to do, and to end user organizations, whom it would help to decide what questions to ask of their suppliers. If you’ve not yet downloaded and reviewed the guide, you can check it out at this link.

As we wrapped up the guide, Tony Rutkowski, one of the CIS participants in the project, suggested that it might be possible to transform it into a standard that organizations could use to demonstrate that they had implemented secure software development practices. Tony participates in the standards efforts of ETSI, a major global and European standards organization and proposed a work item to their Technical Committee Cyber.

In late 2025 and early 2026, several of us from SAFECode and CIS worked together with the ETSI committee to transform the content of the guide and spreadsheet into language and format appropriate for an ETSI standard. We completed an initial draft in November, and after several rounds of review and revision, ETSI adopted the standard as ETSI TS 104 219 V0.0.7 (2026-01), Software Security Development and Implementation Framework in January and made it available for free download.

The adopted standard includes some minor changes from the guide and spreadsheet, and we plan to reflect those changes in the next release of the guide (real soon now – stay tuned!) The standard also includes mappings to the requirements of the European Union’s (EU) Cyber Resilience Act (CRA) and the UK National Cyber Security Centre (NCSC) Cyber Resilience Testing (CRT) Assurance Principles and Claims (APC).

As many of you may know, the EU is in the process of providing guidance and harmonized standards to help with CRA compliance. Among other things, for CRA, the application of standards, and in particular harmonized standards, is highly advisable as it provides a defensible presumption of compliance. We believe that the ETSI standard may not only help organizations to develop secure software but also support the requirements of the CRA. Please let us know if you have any questions about the guide or the standard and we’ll try our best to respond.