SSDF and Adobe Products and Services

 

Secure Software Development Framework

Executive Order (EO) 14028, Improving the Nation’s Cybersecurity requires U.S. government agencies to enhance core capabilities of software security supply chains. Based on the EO’s directive, the National Institute of Science and Technology (NIST) released Special Publication 800-218, Secure Software Development Framework (SSDF) which outlines key practices that a software producer must follow to ensure a secure supply chain. The Office of Management and Budget (OMB) issued Memorandum M-22-18, Enhancing the Security of the Software Supply Chain through Secure Software Development Practices, requiring U.S. government agencies to only procure and operate software that attests to complying with the SSDF practices outlined within NIST 800-218 and the SSDF self-attestation form developed by the Cybersecurity and Infrastructure Security Agency (CISA).

Adobe’s Conformance to SSDF

In accordance with the Executive Order on Improving the Nation’s Cybersecurity and M-22-18/M-23-16, Adobe as a non-critical software producer has partnered with our third-party assessment organization (3PAO) to assess our software development practices against requirements outlined in the Secure Software Development Attestation Form and NIST 800-218 Secure Software Development Framework.

Adobe secure software self-attestation forms can be reviewed within the Repository for Software Attestations and Artifacts (RSAA) maintained by the Cybersecurity Security and Infrastructure Agency (CISA). The RSAA portal is open to federal agency users and software producer users.

The current list of SSDF-attested Software includes:

1. Adobe Acrobat and Reader, desktop, mobile, and associated cloud services including GenAI

2. Adobe Creative Cloud enterprise, all desktop & mobile apps, and associated cloud services including GenAI:

        a. Adobe Photoshop

        b. Adobe Premiere Pro

        c. Adobe Illustrator

        d. Adobe InDesign

        e. Adobe After Effects

        f. Adobe Animate

        g. Adobe Audition

        h. Adobe Bridge

        i. Adobe Character Animator

        j. Adobe InCopy

        k. Adobe InDesign Server

        l. Adobe Lightroom Classic

        m. Adobe Media Encoder

3. Adobe Experience Manager on-premise and Managed Services, including desktop companions

4. Adobe Connect on-premise desktop, server, mobile and Managed Services

5. Adobe Acrobat Sign

6. Adobe Document Cloud Services

7. Adobe Learning Manager

8. Technical Communication Suites, including desktop & server Adobe Framemaker, Adobe Captivate and Adobe RoboHelp

9. Adobe ColdFusion

10. Adobe Analytics

11. Adobe Campaign

For any additional questions, you can contact ssdagov@adobe.com