NS-CTAF v1.0
A cryptographically grounded, continuously measurable standard for software trust — ending code trust theatre and establishing a unified architecture for proving that software is trustworthy across identity, integrity, supply chain, and runtime.
NS-CTAF introduces Code Trust Assurance (CTA) as a distinct discipline — the practice of establishing, measuring, and continuously maintaining evidence-based trust in software across its full lifecycle: from developer identity and build integrity to deployment, runtime behaviour, and software supply-chain assurance.
Built for the supply-chain attack reality of 2026 — SolarWinds SUNBURST, Log4Shell, XZ Utils, Polyfill.io — where traditional scanning and compliance programmes cannot answer the trust questions now being asked by regulators, enterprise customers, investors, and acquirers.
Framework Domains & Coverage
6 integrated trust domains, 86 controls, one unified trust score. Each domain targets a critical layer of software trust exposure identified through real-world supply-chain attacks — together they sum to 100%.
Framework Specification
NS-CTAF combines cryptographic assurance, software supply chain governance, secure development maturity, and continuous operational validation into a single, measurable Code Trust Assurance model.
Controls |
86 fully defined trust controls with requirements, cryptographic grounding requirements, implementation guidance, and framework alignment citations across 30+ standards. |
Scoring Model |
5-axis maturity with domain weights reflecting supply chain risk concentration: D3 Secure Development at 22% (highest), D4 Supply Chain at 20%, D1/D2 Identity & Integrity at 18% each. |
Maturity Scale |
L1 Initial → L2 Developing → L3 Defined → L4 Managed → L5 Optimised — with 430 control-specific maturity interpretations (5 levels × 86 controls).
L1 InitialL2 DevelopingL3 DefinedL4 ManagedL5 Optimised
|
Certification Programme |
The first external software trust certification backed by a structured maturity model:
CTA-1 TransparentCTA-2 VerifiedCTA-3 AssuredCTA-4 Adaptive Trust
|
Framework Alignment |
30+ standards including: NIST SSDF SP 800-218 · SLSA · in-toto · Sigstore · OWASP SAMM · BSIMM · ISO/IEC 27001 · EU Cyber Resilience Act · US EO 14028 · NIS2 · DORA · PCI DSS v4 |
Management Tool |
Excel-native workbook with auto-scoring, 340+ improvement recommendations, certification readiness tracker, roadmap generation, and board-ready Trust Score report. |
Delivery Model |
Repository-based assessment model. First automated results in <5 minutes via Paxley. Full advisory assessment: 1–3 weeks. Ongoing continuous monitoring via the Paxley platform. |
Unique Differentiator |
The only code security framework requiring cryptographic evidence, not self-reported status. A control cannot be rated above L2 without evidence that cannot be fabricated without computational effort proportional to the security claim. |
Paxley Code Security Platform
The automated delivery engine for NS-CTAF assessments and continuous code trust monitoring. Provides SAST (15+ languages, dataflow analysis), Software Composition Analysis with CVE detection, SBOM generation in CycloneDX and SPDX formats, IaC scanning (Terraform, Kubernetes, Pulumi, CDK), container image scanning, secrets detection (200+ patterns), and policy governance — all in one unified interface. Repository-based pricing from $99/repo/month delivers a 79% cost reduction vs per-seat incumbents. First scan results in under 5 minutes. SaaS or self-hosted deployment.
Services Delivered Under This Pillar
All services anchored to NS-CTAF v1.0 and delivered with the Paxley Code Security Platform as the automated evidence layer.
Code Trust Assurance Assessment & Roadmap
NS-CTAF baseline across all 6 trust domains with automated Paxley scanning, Trust Score and Maturity Report, SBOM generation, and prioritised roadmap.
CTA Certification Programme Management
Structured pathway from CTA-1 Transparent through CTA-4 Adaptive Trust — Nucleus as advisory partner, delivering a validated software trust signal for procurement.
DevSecOps Transformation & Secure Engineering Enablement
Integration of NS-CTAF controls into CI/CD pipelines, engineering workflows, release governance, IaC security, and developer security operating models.
Virtual DevSecOps Champion Support Service
Structured retainer for organisations needing practical, independent, sustained secure SDLC leadership without committing to a full-time AppSec or product security function.
Code Security Risk Assessment
Automated repository scanning via Paxley — SAST, SCA, SBOM, IaC, container security, and secrets detection as a unified, continuous evidence layer.
M&A-Focused Code Risk Assessment
Pre-close assessment of product and supply-chain risk embedded in codebase — IP and licensing exposure identification, attacker-validated evidence for investment committees.
DPI & Digital Public Goods Code Trust Service
NS-CTAF assessment and secure development advisory for DPGs and DPI — ensuring community-built software meets regulatory and trust requirements for public-purpose digital systems.
SBOM Governance & Continuous Software Transparency
Enterprise SBOM governance, supplier software transparency assessments, continuous dependency trust monitoring, and customer-facing software trust reporting aligned to CRA, NIS2, DORA.
Open Source Software Trust & Community Governance Advisory
Governance, contributor trust validation, secure open-source release management, dependency risk governance, and cryptographic integrity assurance for open-source software ecosystems and community-led engineering environments.