The NIST National Cybersecurity Center of Excellence (NCCoE) is releasing this live document as part of its Secure Software Development, Security, and Operations (DevSecOps) project. This project demonstrates how organizations can implement the security practices and tasks recommended in the NIST Secure Software Development Framework (SSDF) using modern DevSecOps pipelines and commercially available technology. The live document is open for public comment until April 24, 2026.
This release provides several components of the NCCoE DevSecOps demonstration, including:
The live document shares findings from the NCCoE's collaborative, demonstrative applied research project with 14 technology companies, who contributed technologies, expertise, and operational insights. This project demonstrates and documents practical approaches for integrating SSDF practices into modern DevSecOps pipelines using commercially available technologies. By automating and standardizing security considerations throughout the development lifecycle, the project aims to help organizations improve efficiency, strengthen software supply chain security, and provide greater assurance that secure software development practices are consistently applied.
As part of NIST’s response to Executive Order (EO) 14306, Sustaining Select Efforts to Strengthen the Nation's Cybersecurity and Amending Executive Order 13694 and Executive Order 14144, this project will showcase examples of secure software development practices that fundamentally bolster the security of DevSecOps practices by implementing the SSDF's recommendations.
Unlike traditional static publications, this live document will be updated on a rolling basis with additional implementations and technical findings as the work with collaborators in the laboratory continues. In the coming months, the NCCoE will publish use case scenarios for the initial example implementation, as well as details on other example implementations showcasing several development platforms and tools. The NCCoE will also release an analysis that decomposes NIST SSDF practices and tasks into more granular and actionable tasks, illustrating their application within the project's DevSecOps model.
The Initial Public Draft of SP 1347, NIST Cybersecurity Framework 2.0: Informative References Quick‑Start Guide, explains what informative references are and how they support achieving the outcomes of the NIST Cybersecurity Framework (CSF) 2.0. The guide also introduces readers to NIST tools available for accessing, viewing, and using informative references for cybersecurity risk management, including direct download, the CSF 2.0 Reference Tool, and the Online Informative References Program. The draft contains two sample use cases and provides an overview of how artificial intelligence tools can support reference data use.
Today, the NCCoE published technical resources to help financial institutions use mobile driver’s licenses (mDLs) for customer identification. NIST Special Publication 1800-42 ipd provides an updated reference architecture, implementation details, and key findings from the project.
Compared to physical driver’s licenses, mobile driver’s licenses (mDLs) are easier to use for digital transactions and offer improved protections against fraud, identity theft, and unauthorized access. The NCCoE’s technology demonstration is tackling the security, privacy, and interoperability issues with mDLs.
This publication reflects insights from industry collaborators and lessons learned by developing a functional online demonstration using mDLs for customer identification. The publication provides a practical roadmap to enable adoption and implementation of mDLs for online financial management.
\nYou can improve this guide by contributing feedback. As an initial public draft, this document intends to gain critical feedback from stakeholders across government and industry on the implementation of mDL to support Customer Identification Programs and high assurance use cases more broadly. Comments are welcome on all aspects of this document and specifically encouraged on the following areas:
\nAccording to the U.S. Small Business Administration Office of Advocacy, there are 34.8 million small businesses in the United States. Of those, 81.9% have no paid employees other than the owner or owners—termed “non-employer firms.” These include sole proprietors, freelancers, single-member limited liability companies (LLCs), independent contractors, gig economy workers, and others. This publication helps small firms with no employees and with minimal IT complexity use the NIST Cybersecurity Framework 2.0 to manage their cybersecurity risks. To make this information applicable to a broader audience, cybersecurity risk management considerations are included for businesses as they grow and hire employees—acknowledging that some non-employer firms may never hire additional employees. Many small businesses rely upon consultants, who are also a key audience for this report. While the guide is developed for a U.S. audience, it is recognized that many small businesses engage in international commerce or collaborations, and this document can be adapted to support the cybersecurity risk management of those efforts.
Cybersecurity White Paper (CSWP) 50 was initially published in 2009 as NIST IR 7621, Small Business Information Security: The Fundamentals. The publication underwent an initial revision in 2016 (NIST IR 7621, Rev.1). A pre-draft call for comments was issued in 2024, followed by an initial public draft and comment period on NIST IR 7621, Rev. 2. During the revision process, the publication was converted to CSWP 50, Small Business Cybersecurity: Non-Employer Firms.
\nKey Updates within CSWP 50:
The NIST Cryptographic Module Validation Program (CMVP) is essential for organizations required to use validated cryptography – ensuring that hardware and software cryptographic implementations meet standard security requirements. The NCCoE has published the draft NIST SP 1800-40, Automation of the NIST Cryptographic Module Validation Program, to demonstrate how structured test evidence, standardized submission protocols, and modernized computing infrastructure can streamline the submission and review process. This publication is open for public comment through June 1, 2026.
\nNIST established the CMVP to ensure that hardware and software cryptographic implementations conform to specified security requirements. Since CMVP was established, the volume, complexity, and speed-to-market of cryptographic modules seeking validation have steadily increased. The rapid pace of innovation is exceeding the capacity of vendors, labs, and validation authorities to keep up with testing and validation.
\nThe NCCoE, in collaboration with the CMVP, is demonstrating the value of automation to improve the efficiency and timeliness of CMVP operations and processes. This publication provides details on the modernization effort, including automation of the testing and validation process, demonstration of protocols to accept and process module validation submissions, and an overview of the infrastructure changes to shift from an on-premises architecture to a cloud-native platform. This publication is intended to help testing labs, technology producers, and validation authorities streamline the validation process while maintaining and improving assurance levels.
\nWe encourage you to download the publication and submit your feedback by June 1, 2026. While no further publication updates are planned, the team invites users to provide feedback on the areas where clarification might be beneficial. If you have any questions, you can reach out to the team at applied-crypto-testing@nist.gov.
", "published": "2026-04-15T00:00:00", "updated": "2026-04-15T00:00:00", "link": "https://csrc.nist.gov/pubs/sp/1800/40/ipd", "content": "Comments Due 06/01/2026" }, { "id": "https://csrc.nist.gov/pubs/sp/800/230/ipd", "title": "SP 800-230, Additional SLH-DSA Parameter Sets for Limited Signature Use CasesInitial Public Draft", "summary": "NIST is seeking public comments on the initial public draft (ipd) of Special Publication (SP) 800-230, Additional SLH-DSA Parameter Sets for Limited-Signature Use Cases. This document serves as a technical extension to FIPS 205 by specifying six additional parameter sets for security levels 1, 3, and 5. These variants are specifically tailored for use cases that require fast verification and reduced signature sizes, such as the signing of software, firmware, and digital certificates. These optimizations are achieved by establishing a strict limit of 2^24 signatures per signing key; therefore, these sets are not approved for general-purpose use.
NIST requests feedback on the suitability of these additional parameter sets, specifically asking reviewers to identify applications for which these variants might incur unacceptable performance or to suggest alternative sets that are better suited for such use cases. Users must perform a thorough evaluation to ensure that the signature limit is never exceeded during a key's lifetime. Please submit comments to SP800-230-comments@nist.gov by June 12, 2026
", "published": "2026-04-13T00:00:00", "updated": "2026-04-13T00:00:00", "link": "https://csrc.nist.gov/pubs/sp/800/230/ipd", "content": "Comments Due 06/12/2026" }, { "id": "https://csrc.nist.gov/pubs/sp/800/133/r3/ipd", "title": "SP 800-133 Rev. 3, Recommendation for Cryptographic Key GenerationInitial Public Draft", "summary": "This document describes the generation of keys to be managed and used by approved cryptographic algorithms.
Proposed changes in this revision include the following:
Comments are especially requested regarding: