How long is the NCSP 800-218 Foundation course?

This is a 2-day instructor-led course.

Who should attend this secure software development course?

It is ideal for developers, DevSecOps teams, software engineers, and security professionals.

Are there prerequisites for this course?

No prerequisites are required for this Foundation-level course.

Do participants receive certification?

Yes, attendees receive the NCSP 800-218 Foundation Certificate and digital badge.

NIST Cybersecurity Professional®
NCSP® 800-218 Foundation Certificate

Build Secure Software Using the NIST Secure Software Development Framework (SSDF)

NIST Cybersecurity Professional®

NCSP® 800-218 Foundation Certificate

Course Description

Software is at the heart of every modern organisation and increasingly, at the heart of every cyber incident. Vulnerabilities introduced during design, development, or deployment can have cascading impacts across entire supply chains. NIST SP 800‑218: The Secure Software Development Framework (SSDF) provides a comprehensive, outcome‑based approach for integrating security into every phase of the software lifecycle.

The NCSP® 800‑218 Foundation Certificate is a 2‑day, instructor‑led course introducing participants to the structure, practices, and implementation strategies of the SSDF. This course explains how to embed secure‑by‑design and secure‑by‑default principles into software engineering, DevSecOps, and supply chain processes and how SSDF aligns with the NIST Cybersecurity Framework (CSF) 2.0.

Participants learn how to reduce software vulnerabilities, strengthen development pipelines, and meet emerging regulatory and customer expectations for secure software.

What You Will Learn

Participants gain foundational knowledge required to apply the SSDF across software development and acquisition environments. You will learn:

How the SSDF aligns with the NIST CSF 2.0 and supports secure‑by‑design engineering.
The structure and purpose of the SSDF’s four practice groups: Prepare, Protect, Produce, and Respond.
How to integrate security into software design, coding, testing, deployment, and maintenance.
How to secure CI/CD pipelines, development tooling, and software supply chains.
Approaches for managing vulnerabilities, responding to software‑related incidents, and maintaining software assurance.
How to apply SSDF practices in Agile, DevOps, and DevSecOps environments.

Course Agenda

Day 1: SSDF Foundations, Governance & Secure Development Practices

Module 1: Introduction to NIST SP 800‑218 (SSDF)

Understanding the purpose, evolution, and regulatory drivers behind the SSDF, including its role in secure software development and supply chain assurance.

Module 2: SSDF Structure & Practice Groups

Exploring the four SSDF practice groups; Prepare the Organisation, Protect the Software, Produce Well‑Secured Software, and Respond to Vulnerabilities.

Module 3: Governance, Roles & Organisational Readiness

Establishing secure development policies, roles, responsibilities, and governance structures that support SSDF adoption.

Module 4: Secure Design & Development Practices

Integrating threat modelling, secure coding, code review, and automated testing into development workflows.

Day 2: CI/CD Security, Vulnerability Management & Continuous Improvement

Module 5: Securing the Development Environment & Toolchain

Protecting build systems, repositories, CI/CD pipelines, and development tools from compromise.

Module 6: Software Supply Chain Security

Applying SSDF practices to third‑party components, open‑source software, SBOMs, and supplier assurance.

Module 7: Vulnerability Management & Incident Response

Identifying, triaging, remediating, and communicating vulnerabilities in developed or deployed software.

Module 8: Continuous Monitoring & DevSecOps Integration

Implementing ongoing security testing, automation, and feedback loops that maintain software assurance over time.

Learning Outcomes

Participants will be able to:

Explain how NIST SP 800‑218 supports the NIST Cybersecurity Framework 2.0 and secure‑by‑design principles.
Identify and describe the SSDF practice groups and their associated tasks and outcomes.
Integrate secure development practices into Agile, DevOps, and DevSecOps workflows.
Protect development environments, CI/CD pipelines, and software supply chains from compromise.
Apply vulnerability management and incident response practices to software products and components.
Translate SSDF guidance into actionable engineering and governance practices that improve software security.

Who Should Attend?

This course is designed for professionals responsible for developing, securing, or managing software systems, including:

Software Developers & Engineers
DevOps & DevSecOps Teams
Application Security Professionals
Systems Integrators & Technology Vendors
Security Architects & Engineering Leads
Program & Project Managers overseeing software development
Compliance, Governance, and Assurance Personnel

Prerequisites

There are no formal prerequisites for this Foundation‑level course, though a basic understanding of cybersecurity concepts and the NIST CSF is recommended.

Participants are provided with:

NIST Cybersecurity Professional® (NCSP®) 800-218 Foundation Certificate courseware including links to further reading and resources.
NIST Cybersecurity Professional® (NCSP®) 800-218 Foundation Certificate, Certificate of Completion.
NIST Cybersecurity Professional® (NCSP®) 800-218 Foundation Certificate digital badge.

Enrol Today

Build practical capability in applying the NIST Secure Software Development Framework (SSDF) to strengthen software assurance and secure the software supply chain.