Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST Publishes SP 800-204C, Implementation of DevSecOps for a Microservices-based Application with Service Mesh
March 08, 2022

NIST Special Publication (SP) 800-204C, Implementation of DevSecOps for a Microservices-based Application with Service Mesh, is now available.

The newest generation of software applications – cloud-native applications – has evolved into a standardized architecture of loosely coupled components called microservices that are supported by an infrastructure for providing application services (e.g., service mesh). In this architecture, the entire set of source code involved in the application environment can be divided into five code types: 1) application code, 2) application services code, 3) infrastructure as code, 4) policy as code, 5) and observability as code. The unique architecture of this application class requires a more agile software life cycle paradigm, and DevSecOps (development, security, and operations) offers faster deployment and updates while integrating security throughout the life cycle.

NIST SP 800-204C provides guidance for the implementation of DevSecOps primitives for a reference platform hosting a cloud-native application with the code types listed above. The guidance also discusses the benefits of this approach for high security assurance and enabling continuous authority to operate (C-ATO).

Created March 08, 2022