Schellman becomes The First ISO 42001 ANAB Accredited Certification Body!

Learn More
866.254.0000
Contact Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
SOC 1 / SSAE 18 Examination
SOC 2 Examination
SOC 3 Examination
SOC for Supply Chain
SOC for Cybersecurity
C5 Attestation
CSA STAR Programs
Payment Card Assessments
Payment Card Assessments
PCI DSS Validation
PCI SSF
PCI P2PE Validation
PCI PIN Assessments
PCI 3DS Compliance
ISO Certifications
ISO Certifications
ISO 27001
ISO 42001
ISO 27701
ISO 9001
ISO 22301
ISO-20000-1
Privacy Assessments
Privacy Assessments
APEC Certification
GDPR Assessment
International Privacy Assessments
US State Privacy Assessments
Microsoft SSPA/DPR Assessment
Privacy Program Assessment
FERPA Assessment
EU Cloud Code of Conduct
Federal Assessments
Federal Assessments
FedRAMP®
CMMC / NIST SP 800-171
FISMA/NIST
ITAR
CJIS
IRAP
FTC Consent Decrees
Healthcare Assessments
Healthcare Assessments
HITRUST CSF Certification
HIPAA Compliance
HIPAA Express
EPCS-DEA Audits
Health Data Host (HDS) Certification
Penetration Testing
Penetration Testing
Application
Network
Mobile
Social Engineering
Cloud
Physical
Hardware and IoT
Advanced Series
Cybersecurity Assessments
Cybersecurity Assessments
Cloud Configuration Assessments
Ransomware Assessments
NIST Cybersecurity Framework Assessments
Schellman Software Security Assessment (S3A)
TISAX®
SWIFT Customer Security Programme
Internal Audit Co-Sourcing
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
Learning Center
Our Technology
About Us
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships
ISO Certificate Directory
Contact Us

Cybersecurity Assessments

Schellman Software Security Assessment (S3A)

To help you manage the security of your software development lifecycle (SDLC), ensure consistent secure coding practices, and address vulnerabilities before they can be exploited, we offer a customized assessment that is based on components of several security standards that can be tailored to your unique threat profile.

Contact a Specialist

Secure Your Software and Meet Industry Requirements Through a Holistic and Objective-Based  Assessment Approach

Though software has recently become the foundation of security, the vulnerabilities that affect it persist and remain a significant threat to developers. To effectively protect against things like exploitation of unpatched software, lack of static and dynamic testing, and excessive permissions—among others—you need to take a comprehensive approach to the security of your SDLC. 

A comprehensive approach deserves a comprehensive assessment, which is why we have cultivated a unique option for organizations that want to prioritize their software security. 

White House EO 14028

With the White House Executive Order 14028 and subsequent Office of Management and Budget (OMB) Memorandums - M-22-18, “Enhancing the Security of the Software Supply Chain through Secure Software Development Practices” and M-23-16, “Update to Memorandum M-22-18, Enhancing the Security of the Software Supply Chain through Secure Software Development Practices” - there are explicit requirements for organizations providing software for use in the federal government.

It is important to note that organizations have the option to self-attest—meaning, you can have a chief executive of your organization or a chosen delegate sign the form.

Alternatively, you can engage an accredited 3PAO to assess of your software security before issuing a formal report that you can attach to the CISA self-attestation in lieu of having your CEO sign it.

The deadlines for providing self-attestations or 3PAO assessment reports demonstrating compliance are rapidly approaching. Read more on these deadlines and requirements here.

Our Schellman Software Security Assessment (S3A) Requirements Draw From Many Industry-Recognized Standards:

  • The NIST Software Security Framework (SSF)
  • The NIST 800-218 Secure Software Development Framework (SSDF)
  • The CISA Secure Software Development Attestation Form
  • The NIST Cybersecurity Framework (CSF)
  • The PCI Secure Controls Framework (SCF)
  • PCI Software Security Framework (PCI SSF)
  • ISO/IEC standards

Our Schellman Software Security Assessment (S3A) Could Help You…

https://www.schellman.com/hubfs/lock-badge.svg

Meet Mandated Security and Reporting Requirements as a Software Provider to the Federal Government

As a FedRAMP 3PAO, Schellman is uniquely experienced to provide third-party assessment for organizations seeking to meet the requirements in the CISA Secure Software Development Attestation Form.

https://www.schellman.com/hubfs/blue-vulnerabilities-icon-1.png

Improve Your Software Security and Enhance Your Risk Management Practices

Given its systematic approach to identifying, assessing, and managing cybersecurity risks in software, this assessment can help you improve your development processes, reduce the most common risk and attack vectors, and improve your overall cybersecurity posture. 

https://www.schellman.com/hubfs/compliance-1.svg

Address More Extensive Compliance Concerns

So many different compliance standards address software security in some way—because we can tailor our S3A assessment to your needs, the process could help you get started in more broadly addressing your other requirements.

https://www.schellman.com/hubfs/better-odds.svg

Better Your Odds with Insurance

Having an S3A report in hand will communicate your commitment to security to potential insurers, who may then be enticed to reduce your premiums.

https://www.schellman.com/hubfs/due-diligence-1.png

Provide Cost-Effective Third-Party Validation

Our assessment deliverables will provide your customers, partners, and stakeholders with independent validation of your cybersecurity posture—helping both you and them to rest easier.

Your Schellman Software Security Assessment (S3A) Options

S3A Foundational*
Includes core evaluation of your:

  • Software development lifecycle (SDLC) processes
  • Basic secure code development training capabilities for engineering personnel
  • Secure code testing practices
  • Source code security
  • Separation of duties
  • All objectives required per the CISA Secure Software Development Attestation Form

S3A Intermediate
Includes an evaluation of your foundational controls plus a review of:

  • Security and authentication to source code
  • Use of static and dynamic testing
  • Review of advanced secure coding and testing capabilities for engineering personnel
  • Review of Software Bills of Material (SBOM)
  • Objectives within the NIST SSDF standard

S3A Comprehensive     
Includes an assessment of your software practices against the full NIST Secure Software Development Framework and the 3PAO reporting needed to satisfy the CISA Secure Software Development Attestation Form.

Meet Your Schellman Software Security Assessment (S3A) Expert, Joe O'Donnell

Joe O'Donnell is a Manager with Schellman mainly dedicated to the PCI and PCI specialty service lines. Before focusing his career on IT auditing services, Joe worked as an Enterprise Operations Computing Analyst where he gained experience in IT systems analysis and data center operations.

Meet Joe Message Joe

Schellman Software Security Assessment (S3A) Methodology

When you partner with us for our S3A assessment, you will gain peace of mind and confidence in your software and software development security after a process we break down into five distinct phases: 
Image

1. Planning Phase (1 - 2 weeks)

First, we’ll work together to identify any in-scope lines of business, systems, and platforms, shared services applications, and component applications, as well as any specifics regarding your data handled and other significant processes. In addition, we will identify any existing standards that you need to meet.

Image

2. Control Mapping and Testing (2 – 4 weeks)

As we map your security controls to the framework subcategories, we’ll begin with a select number of control areas and range upwards to a full NIST Secure Software Development Framework assessment.

For each identified subcategory you include, we’ll review documentation and technical evidence and perform testing to determine whether or not these objectives have been met.

Image

3. Remediation and Finding Closure (1-2 weeks)

Wherever we note where you did not meet control requirements—or where you have opportunities to improve security and development flow—you’ll develop, document, and implement remediation plans before we review your updates and perform retesting. 

Image

4. Final Reporting (2 – 3 weeks)

We’ll provide a final and detailed analysis of the framework as well as our findings and recommendations for improving your software security and achieving compliance with relevant regulations and standards.

*You can also request an external-facing report documenting the scope, activities, and high-level findings related to the assessment.

In addition, Schellman will prepare the attestations and required documentation for reporting agencies and aid in submitting documentation.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.