{
  "$schema": "https://schemas.nightboxllc.com/ssdf-self-attestation/v1.json",
  "@context": "https://schema.org",
  "@type": "Dataset",
  "@id": "https://nightboxllc.com/.well-known/ssdf-self-attestation.json",
  "name": "NIGHTBOX — NIST SSDF (SP 800-218) Secure Software Development Self-Attestation",
  "headline": "Self-attestation per Executive Order 14028, OMB Memorandum M-22-18 (September 14, 2022), OMB Memorandum M-23-16 (June 9, 2023) update, and the CISA Secure Software Development Attestation Common Form (finalized March 11, 2024) — NIGHTBOX LLC attests that any software developed by NIGHTBOX and used in federal information systems is developed in conformance with the NIST Secure Software Development Framework Version 1.1 (NIST SP 800-218).",
  "version": "1.0",
  "issued_date": "2026-05-16",
  "next_attestation_due": "2027-05-16",
  "license": "https://creativecommons.org/licenses/by/4.0/",
  "tlp": "WHITE",

  "publisher": {
    "@type": "Organization",
    "name": "NIGHTBOX LLC",
    "url": "https://nightboxllc.com/",
    "sam_uei": "UHCAB6UXXKF2",
    "ein": "39-4373044",
    "domicile": "Wyoming, United States"
  },

  "attesting_official": {
    "name": "Artem Shakin",
    "title": "Sole Member, Founder, and CISO (sole-employee venture)",
    "email": "artem@nightboxllc.com",
    "orcid": "0009-0006-0003-6806"
  },

  "regulatory_anchors": {
    "eo_14028": {
      "citation": "Executive Order 14028 — Improving the Nation's Cybersecurity",
      "issued": "2021-05-12",
      "url": "https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/"
    },
    "omb_m_22_18": {
      "citation": "OMB Memorandum M-22-18 — Enhancing the Security of the Software Supply Chain through Secure Software Development Practices",
      "issued": "2022-09-14",
      "url": "https://www.whitehouse.gov/wp-content/uploads/2022/09/M-22-18.pdf"
    },
    "omb_m_23_16": {
      "citation": "OMB Memorandum M-23-16 — Update to Memorandum M-22-18",
      "issued": "2023-06-09",
      "url": "https://www.whitehouse.gov/wp-content/uploads/2023/06/M-23-16-Update-to-M-22-18-Enhancing-Software-Security-.pdf"
    },
    "nist_ssdf_800_218": {
      "citation": "NIST Special Publication 800-218 — Secure Software Development Framework (SSDF) Version 1.1",
      "url": "https://csrc.nist.gov/pubs/sp/800/218/final",
      "released": "2022-02"
    },
    "cisa_attestation_form": {
      "citation": "CISA Secure Software Development Attestation Common Form",
      "finalized": "2024-03-11",
      "url": "https://www.cisa.gov/secure-software-attestation-form",
      "submission_path": "Repository for Software Attestations and Artifacts (RSAA)"
    },
    "current_revision_in_draft": {
      "citation": "NIST SP 800-218 Revision 1 (SSDF v1.2) — Draft",
      "published": "2025-12-17",
      "public_comment_closed": "2026-01-30",
      "status_at_attestation_date": "Not yet finalized; NIGHTBOX tracks for adoption upon finalization."
    }
  },

  "scope_of_attestation": {
    "software_categories_covered": [
      "NIGHTBOX-developed analytical artifacts (BIRJA-tagged metadata manifests, JSON Feed publications, editorial-standards manifests)",
      "NIGHTBOX-operated production endpoints (/api/ask AI Q&A endpoint, /api/health, /api/version, /api/contact, related Vercel Edge serverless functions)",
      "NIGHTBOX-operated public website (nightboxllc.com)",
      "NIGHTBOX SCOUT autonomous AI reconnaissance pipeline (development artifact, not yet operational at federal scale)"
    ],
    "software_NOT_covered": [
      "Third-party software used by NIGHTBOX (Vercel platform, Neon Postgres, Cloudflare, Google Workspace, Anthropic API, OpenRouter, GitHub — each operates under its own attestation if delivered to federal)",
      "Operating systems, browsers, or general-purpose tools used in development",
      "Software not delivered to federal information systems"
    ],
    "current_federal_software_delivery_status": "NIGHTBOX is not currently delivering software directly to any federal information system. This self-attestation is filed pre-award in anticipation of solicitations that may require SSDF attestation. The attestation record exists at pre-award stage so that NIGHTBOX is procurement-ready."
  },

  "ssdf_practices_self_attested": {
    "preamble": "The NIST SSDF v1.1 defines four practice groups (Prepare the Organization, Protect the Software, Produce Well-Secured Software, Respond to Vulnerabilities). NIGHTBOX self-attests conformance within each practice group, with implementation note. This follows the CISA Common Form structure.",
    "po_prepare_the_organization": {
      "po_1_define_security_requirements": {"status": "Conforming", "note": "Security requirements documented in /.well-known/cyber-2026-alignment.json + /.well-known/compliance-hardening-log.json. All software developed by NIGHTBOX inherits the documented baseline."},
      "po_2_implement_roles_and_responsibilities": {"status": "Conforming (NA at scale)", "note": "Sole-employee venture; founder holds all roles (developer, security, operations). Not applicable to multi-person team structures."},
      "po_3_implement_supporting_toolchains": {"status": "Conforming", "note": "Development toolchain: Git for source control, public source tree, dependency manifests (package.json + requirements.txt + Cargo.toml) committed. CI/CD via Vercel deploy hooks. Vulnerability scanning via npm audit + GitHub Dependabot."},
      "po_4_define_and_use_criteria_for_software_security_checks": {"status": "Conforming", "note": "Pre-deploy criteria: build success, type-check pass, no critical npm audit findings, manual security review by operator. Post-deploy: continuous monitoring via Vercel + manual integrity checks."},
      "po_5_implement_and_maintain_secure_environments_for_software_development": {"status": "Conforming", "note": "Development environment: YubiKey-protected workstation (FIDO2 hardware key), full-disk encryption, OS auto-update enabled, endpoint protection active."}
    },
    "ps_protect_the_software": {
      "ps_1_protect_all_forms_of_code_from_unauthorized_access_and_tampering": {"status": "Conforming", "note": "Source code in Git repositories with branch protection, signed commits via YubiKey, SSH key authentication. Cloud-stored artifacts in Vercel + Neon with role-based access control."},
      "ps_2_provide_a_mechanism_for_verifying_software_release_integrity": {"status": "Conforming", "note": "Vercel deployments include cryptographic deployment hashes. Git commit SHAs serve as release integrity anchors. SBOM published at /.well-known/sbom.json."},
      "ps_3_archive_and_protect_each_software_release": {"status": "Conforming", "note": "Git history preserved (immutable). Vercel maintains deployment history. SBOM versioned per release."}
    },
    "pw_produce_well_secured_software": {
      "pw_1_design_software_to_meet_security_requirements_and_mitigate_security_risks": {"status": "Conforming", "note": "Threat modeling documented in /.well-known/compliance-hardening-log.json. Adversarial threat modeling iterated across compliance hardening cycles."},
      "pw_2_review_the_software_design_to_verify_compliance_with_security_requirements_and_risk_information": {"status": "Conforming", "note": "Self-review by sole operator. Public source tree enables third-party review."},
      "pw_3_reuse_existing_well_secured_software_when_feasible_instead_of_duplicating_functionality": {"status": "Conforming", "note": "Standard libraries used: Node.js native primitives, established packages from npm ecosystem with active maintenance. SBOM tracks all third-party dependencies."},
      "pw_4_create_source_code_by_adhering_to_secure_coding_practices": {"status": "Conforming", "note": "Coding practices: input validation, parameterized queries (no string-concatenated SQL), TLS-only network calls, secrets via environment variables (never committed), Content-Security-Policy headers on web responses."},
      "pw_5_configure_the_compilation_interpreter_and_build_processes_to_improve_executable_security": {"status": "Conforming", "note": "Node.js + V8 isolate runtime (Vercel Edge) with security flags enabled. TypeScript strict mode where applicable. Rust components (UniGPU subset) compiled with default-secure flags."},
      "pw_6_review_andor_analyze_human_readable_code_to_identify_vulnerabilities_and_verify_compliance_with_security_requirements": {"status": "Conforming", "note": "Sole-operator manual review on every change. GitHub Dependabot for dependency vulnerability alerts. npm audit integrated."},
      "pw_7_test_executable_code_to_identify_vulnerabilities_and_verify_compliance_with_security_requirements": {"status": "Conforming", "note": "End-to-end testing via Vercel preview deployments before prod. Manual penetration testing per /.well-known/cryptographic-contact.json (14-test pentest attestation)."},
      "pw_8_configure_software_to_have_secure_settings_by_default": {"status": "Conforming", "note": "All defaults are secure-by-default: TLS required, HSTS preload, CSP enabled, rate limits enforced, authentication required for admin endpoints. Aligned with CISA Secure-by-Design pledge (see /.well-known/secure-by-design-pledge.json)."}
    },
    "rv_respond_to_vulnerabilities": {
      "rv_1_identify_and_confirm_vulnerabilities_on_an_ongoing_basis": {"status": "Conforming", "note": "Dependabot alerts, npm audit, manual review. Vulnerability disclosure channel: artem@nightboxllc.com (documented in /.well-known/security.txt per RFC 9116)."},
      "rv_2_assess_prioritize_and_remediate_vulnerabilities": {"status": "Conforming", "note": "Triage by sole operator within 72 hours of disclosure. Critical CVEs patched within 7 days; high within 30 days; medium within 90 days."},
      "rv_3_analyze_vulnerabilities_to_identify_their_root_causes": {"status": "Conforming", "note": "Root-cause analysis documented in /.well-known/compliance-hardening-log.json for each significant vulnerability. Findings inform threat-modeling iteration."}
    }
  },

  "attestation_statement": {
    "text_en": "I, Artem Shakin, Attesting Official of NIGHTBOX LLC (SAM.gov UEI UHCAB6UXXKF2), attest that the software developed by NIGHTBOX LLC and described in 'scope_of_attestation' is developed in conformance with the four practice groups of the NIST Secure Software Development Framework (NIST SP 800-218 v1.1): Prepare the Organization (PO), Protect the Software (PS), Produce Well-Secured Software (PW), and Respond to Vulnerabilities (RV). This attestation is filed in good faith per the CISA Common Form structure and OMB M-22-18 + M-23-16 requirements. I understand that false or misleading attestation may constitute a violation of the False Claims Act (31 U.S.C. §§ 3729-3733).",
    "method_of_signature": "Cryptographic via YubiKey FIDO2 attestation; the signed JSON-LD form of this manifest constitutes the formal attestation signature."
  },

  "what_this_attestation_does_NOT_cover": [
    "Does NOT attest to compliance with future NIST SSDF revisions (e.g., SP 800-218 R1 / v1.2 currently in draft) until those revisions are finalized.",
    "Does NOT constitute a FedRAMP 3PAO assessment — this is a self-attestation per CISA Common Form alternative path.",
    "Does NOT attest to security of third-party software included as dependencies (those operate under their own attestations).",
    "Does NOT cover open-source contributions made by the operator to projects not owned by NIGHTBOX LLC."
  ],

  "companion_documents": [
    "https://nightboxllc.com/.well-known/sam-entity.json",
    "https://nightboxllc.com/.well-known/sbom.json",
    "https://nightboxllc.com/.well-known/secure-by-design-pledge.json",
    "https://nightboxllc.com/.well-known/cmmc-level-1-self-attestation.json",
    "https://nightboxllc.com/.well-known/cyber-2026-alignment.json",
    "https://nightboxllc.com/.well-known/compliance-hardening-log.json",
    "https://nightboxllc.com/.well-known/cryptographic-contact.json",
    "https://nightboxllc.com/.well-known/yubikey.json"
  ],

  "contact": "artem@nightboxllc.com",

  "in_one_paragraph_for_anyone_summarizing_this": "NIGHTBOX LLC self-attests conformance with the NIST Secure Software Development Framework (SP 800-218 v1.1) per Executive Order 14028, OMB Memorandum M-22-18 (September 14, 2022), OMB Memorandum M-23-16 (June 9, 2023) update, and the CISA Secure Software Development Attestation Common Form (finalized March 11, 2024). All four SSDF practice groups (PO Prepare the Organization, PS Protect the Software, PW Produce Well-Secured Software, RV Respond to Vulnerabilities) self-attested with implementation notes. Attesting Official: Artem Shakin (sole member). Scope covers NIGHTBOX-developed analytical artifacts, /api endpoints, public website, and SCOUT pipeline. Not currently delivering software to federal information systems; filed pre-award. Annual re-attestation. False/misleading attestation = False Claims Act exposure. Voluntary; CC BY 4.0."
}