Govern secure development at the organization level.

There is a growing need for organizations to be able to demonstrate that at the organization-level it governs secure development practices. This is where the Secure Development Organization (SDO) certification is very valuable.

SDO Designation CODE Certification

✓ 3 SDO Levels

✓ 2 CODE Levels

✓ EO 14028 + NIST SP 800-218

Secure Development Organization (SDO)

Three levels of organizational commitment.

There are three (3) different levels of SDO and the levels depend on the number of SCA Practitioners and SCA Architects that are employed by the organization.

The SDO designation was developed as a way for organizations to clearly identify a commitment to secure development practices, through:

Adherence to the respective requirements and constructs of the SCA framework; and
Employing SCA-certified individuals to operationalize secure development practices.

SDO 1

Foundational

Entry-level designation indicating an organization's foundational commitment to secure development practices and SCA-certified personnel.

SDO 2

Intermediate

Demonstrated investment in SCA-certified personnel — minimum staffing of CSCAPs and CSCAAs reflects organizational maturity.

SDO 3

Advanced

Highest SDO designation — significant SCA Practitioner and Architect headcount reflects deep, sustained organizational commitment.

Certified Organization for Development Excellence (CODE)

Third-party conformity assessment.

In addition to the organization-wide SDO certification, there is also the ability for an organization to earn the designation as a Certified Organization for Development Excellence (CODE).

The concept of the CODE certification is to utilize a third-party conformity assessment of secure development practices. CODE certification is exclusive of an SDO designation, where an organization does not have to be an SDO to seek/obtain CODE certification.

For CODE, the SCA:

Appointed The Cyber AB to serve as the Accreditation Body (AB) for the SCA's organization-level certification scheme; and
Leverages the Secure Controls Framework Conformity Assessment Program (SCF CAP) for the methodology and infrastructure to conduct the conformity assessment.

CODE 1

CISA SSDAF Conformity

Organization successfully demonstrates conformity with the Cybersecurity and Infrastructure Security Agency (CISA) Secure Software Development Attestation Form (SSDAF) — addressing EO 14028 requirements.

CODE 2

NIST SP 800-218 Conformity

Organization successfully demonstrates conformity with the National Institute for Standards and Technology (NIST) Special Publication 800-218 — the Secure Software Development Framework (SSDF).

Side-by-Side

Choosing between SDO and CODE.

SDO and CODE serve different purposes — and an organization can pursue both. CODE certification is exclusive of an SDO designation; you don't have to be an SDO to seek CODE certification.

Dimension	SDO Designation	CODE Certification
Focus	Organizational commitment via certified personnel	Third-party conformity assessment of practices
Levels	Three (1, 2, 3) — based on SCA-certified headcount	Two (CODE 1, CODE 2) — based on framework conformity
Validation	SCA-administered framework adherence	The Cyber AB (Accreditation Body) via SCF CAP
Aligned to	SCA framework + employed CSCAPs and CSCAAs	CODE 1: CISA SSDAF (EO 14028) · CODE 2: NIST SP 800-218
Prerequisite?	No CODE prerequisite	SDO not required