NIST published Special Publication 800-218A, "Secure Software Development Practices for Generative AI and Dual-Use Foundation Models: An SSDF Community Profile," on July 26, 2024. It is the formal companion to NIST SP 800-218 (the Secure Software Development Framework, version 1.1) that Executive Order 14110 directed NIST to produce within 270 days of the EO's October 30, 2023 signing. The document is short — 27 pages — but it is the first authoritative US government articulation of what "secure" means for the entire production chain of an AI model, from training data through model release. Although EO 14110 was rescinded by EO 14148 on January 20, 2025, NIST SP 800-218A remains in force as published guidance, and downstream regulators (DOD, GSA, CMS, and several state AI procurement bodies) continue to reference it in attestation language.
What does SP 800-218A actually add to SSDF?
The base SSDF (NIST SP 800-218 v1.1) organizes secure development around four practice groups: Prepare the Organization (PO), Protect the Software (PS), Produce Well-Secured Software (PW), and Respond to Vulnerabilities (RV). SP 800-218A does not replace these; it augments them with a parallel set of AI-specific tasks and considerations under each practice. It introduces 12 new tasks and 24 explicit recommendations spread across the existing PO, PS, PW, and RV groups. Notable additions include PO.1.1 (Define security and AI risk requirements for development), PW.1.2 (Document training data provenance), and PW.4.5 (Validate that training data and model weights have not been tampered with using cryptographic verification).
What counts as a "dual-use foundation model"?
The publication adopts the EO 14110 definition: an AI model trained on broad data, generally using self-supervision, containing at least tens of billions of parameters, and applicable across a wide range of contexts. The publication explicitly scopes inclusion to producers, builders on top of those producers, and acquirers of AI-enabled systems. The definition matters for two reasons. First, it determines which vendors must attest. Second, the EO 14110 reporting threshold for foundation models — training compute exceeding 10^26 integer or floating-point operations — is preserved in SP 800-218A as the baseline for "particular attention" to dual-use risks even though the underlying EO has been rescinded.
What does the training-data provenance requirement look like in practice?
Task PW.1.2 in SP 800-218A requires producers to "document the provenance of training data, including where it was obtained, when, and how it was processed before being used." The Profile notes that provenance documentation should support detection of poisoning attacks (such as nightshade-style adversarial perturbations targeting downstream image classifiers) and license compliance. The implementation example in the publication suggests maintaining a dataset manifest that hashes each input file, records the upstream source URL or content provider, captures the retrieval timestamp, and documents preprocessing steps. The Profile does not mandate any specific format, but the recommended structure mirrors what would now be expressed as an AI Bill of Materials.
{
"dataset_manifest": {
"name": "training_corpus_v2.3",
"total_records": 412857201,
"sources": [
{
"provider": "common_crawl",
"url_prefix": "https://commoncrawl.org/crawl-data/CC-MAIN-2024-30/",
"retrieved_at": "2024-08-12T00:00:00Z",
"license": "Common Crawl Terms of Use",
"preprocessing": ["url_dedup", "language_filter:en", "pii_redaction:presidio"],
"sha256": "f4a8...c9d1"
}
],
"exclusions": ["copyrighted_news_2020-2024", "books3", "opted_out_domains"],
"tampering_check": {
"method": "sha256_per_shard",
"last_verified": "2025-01-09T15:42:11Z"
}
}
}
How does SP 800-218A handle model weights and red teaming?
Two practices deserve specific attention. PS.3.1 (Archive and protect each software release) is augmented to require that model weights be cryptographically signed, that release-time hashes be published, and that any modification or fine-tuning produce a new artifact with its own provenance record. This is the weight-tampering protection that, in late 2024 and 2025, became operationally critical as model weight theft and supply-chain modification scenarios moved from theoretical to documented. PW.7 and PW.8 add red-teaming and adversarial testing requirements: producers should "design, conduct, document, and analyze the results of pre-deployment AI red-team testing" focused on capability elicitation, content safety, and security boundary evasion. The Profile does not prescribe specific red-team methodologies but references the NIST AI Risk Management Framework (AI RMF) Generative AI Profile (NIST AI 600-1, published July 26, 2024) for procedural guidance.
What survived the rescission of EO 14110?
EO 14110 was rescinded by EO 14148 on January 20, 2025. The Trump administration's January 23, 2025 EO 14179 ("Removing Barriers to American Leadership in Artificial Intelligence") replaced it. EO 14179 directs OSTP, NSA, and OMB to develop a new AI Action Plan, which OSTP delivered on July 23, 2025. The new plan removes the dual-use foundation model reporting requirement and the safety determinations under the Defense Production Act, but it preserves the role of NIST in publishing AI security guidance. NIST has stated that SP 800-218A remains current guidance and that work on a Revision 1 incorporating production experience from 2024-2025 is underway, with public draft expected mid-2026.
Who is actually referencing SP 800-218A in procurement?
Three concrete adoptions are visible in the public record. First, GSA's AI Acquisition Resource Hub (launched May 2025) lists SP 800-218A as a recommended technical reference for federal AI procurements above the Simplified Acquisition Threshold. Second, the Department of Defense's Generative AI and Large Language Model Adoption Roadmap (Joint AI Center, May 2024 update) references SP 800-218A for vendor due diligence. Third, the Federal Risk and Authorization Management Program (FedRAMP) AI Authorization Framework, currently in draft as part of FedRAMP 20x Phase Two, incorporates Profile tasks PW.1.2 and PS.3.1 as Key Security Indicators for AI-enabled cloud services.
How Safeguard Helps
Safeguard generates AI Bill of Materials documents that satisfy the training-data provenance and model-artifact integrity requirements in SP 800-218A tasks PW.1.2 and PS.3.1, with cryptographic hashing of weights, dataset manifests, and fine-tuning chains. Griffin AI maps an organization's existing SSDF attestations against SP 800-218A's 12 new tasks and surfaces gaps in red-teaming evidence, training data documentation, and weight tampering controls. The platform's policy gates block model artifacts from production if their provenance chain has unsigned links or unverified upstream datasets. For vendors selling AI-enabled SaaS to federal agencies, Safeguard exports the attestation package in the OSCAL format that FedRAMP 20x and GSA evaluators ingest, eliminating the manual mapping that has been the most expensive part of AI procurement to date.