SchellmanCON is back! Join us for our virtual conference on March 6 & 7, 2025

Contact Us
Services
Services
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships

Cybersecurity Assessments

Schellman Software Security Assessment (S3A)

To help you manage the security of your software development lifecycle (SDLC), ensure consistent secure coding practices, and address vulnerabilities before they can be exploited, we offer a customized assessment that is based on components of several security standards that can be tailored to your unique threat profile.

Contact a Specialist

Secure Your Software and Meet Industry Requirements Through a Holistic and Objective-Based  Assessment Approach

Though software has recently become the foundation of security, the vulnerabilities that affect it persist and remain a significant threat to developers. To effectively protect against things like exploitation of unpatched software, lack of static and dynamic testing, and excessive permissions—among others—you need to take a comprehensive approach to the security of your SDLC. 

A comprehensive approach deserves a comprehensive assessment, which is why we have cultivated a unique option for organizations that want to prioritize their software security. 

White House EO 14028

With the White House Executive Order 14028 and subsequent Office of Management and Budget (OMB) Memorandums - M-22-18, “Enhancing the Security of the Software Supply Chain through Secure Software Development Practices” and M-23-16, “Update to Memorandum M-22-18, Enhancing the Security of the Software Supply Chain through Secure Software Development Practices” - there are explicit requirements for organizations providing software for use in the federal government.

It is important to note that organizations have the option to self-attest—meaning, you can have a chief executive of your organization or a chosen delegate sign the form.

Alternatively, you can engage an accredited 3PAO to assess of your software security before issuing a formal report that you can attach to the CISA self-attestation in lieu of having your CEO sign it.

The deadlines for providing self-attestations or 3PAO assessment reports demonstrating compliance are rapidly approaching. Read more on these deadlines and requirements here.

Our Schellman Software Security Assessment (S3A) Requirements Draw From Many Industry-Recognized Standards:

  • The NIST Software Security Framework (SSF)
  • The NIST 800-218 Secure Software Development Framework (SSDF)
  • The CISA Secure Software Development Attestation Form
  • The NIST Cybersecurity Framework (CSF)
  • The PCI Secure Controls Framework (SCF)
  • PCI Software Security Framework (PCI SSF)
  • ISO/IEC standards

Our Schellman Software Security Assessment (S3A) Could Help You…

Your Schellman Software Security Assessment (S3A) Options

S3A Foundational*
Includes core evaluation of your:

  • Software development lifecycle (SDLC) processes
  • Basic secure code development training capabilities for engineering personnel
  • Secure code testing practices
  • Source code security
  • Separation of duties
  • All objectives required per the CISA Secure Software Development Attestation Form

S3A Intermediate
Includes an evaluation of your foundational controls plus a review of:

  • Security and authentication to source code
  • Use of static and dynamic testing
  • Review of advanced secure coding and testing capabilities for engineering personnel
  • Review of Software Bills of Material (SBOM)
  • Objectives within the NIST SSDF standard

S3A Comprehensive     
Includes an assessment of your software practices against the full NIST Secure Software Development Framework and the 3PAO reporting needed to satisfy the CISA Secure Software Development Attestation Form.

Contact a Specialist

Joe O'Donnell

Joe O'Donnell is a Manager with Schellman mainly dedicated to the PCI and PCI specialty service lines. Before focusing his career on IT auditing services, Joe worked as an Enterprise Operations Computing Analyst where he gained experience in IT systems analysis and data center operations.

Meet Joe Contact Us

Schellman Software Security Assessment (S3A) Methodology

When you partner with us for our S3A assessment, you will gain peace of mind and confidence in your software and software development security after a process we break down into five distinct phases: 
Image

1. Planning Phase (1 - 2 weeks)

First, we’ll work together to identify any in-scope lines of business, systems, and platforms, shared services applications, and component applications, as well as any specifics regarding your data handled and other significant processes. In addition, we will identify any existing standards that you need to meet.

Image

2. Control Mapping and Testing (2 – 4 weeks)

As we map your security controls to the framework subcategories, we’ll begin with a select number of control areas and range upwards to a full NIST Secure Software Development Framework assessment.

For each identified subcategory you include, we’ll review documentation and technical evidence and perform testing to determine whether or not these objectives have been met.

Image

3. Remediation and Finding Closure (1-2 weeks)

Wherever we note where you did not meet control requirements—or where you have opportunities to improve security and development flow—you’ll develop, document, and implement remediation plans before we review your updates and perform retesting. 

Image

4. Final Reporting (2 – 3 weeks)

We’ll provide a final and detailed analysis of the framework as well as our findings and recommendations for improving your software security and achieving compliance with relevant regulations and standards.

*You can also request an external-facing report documenting the scope, activities, and high-level findings related to the assessment.

In addition, Schellman will prepare the attestations and required documentation for reporting agencies and aid in submitting documentation.