Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Integrating Software Supply Chain Security in DevSecOps CI/CD Pipelines | NIST Publishes SP 800-204D
February 12, 2024

Today, NIST is releasing Special Publication (SP) 800-204D, Strategies for the Integration of Software Supply Chain Security in DevSecOps CI/CD Pipelines.

Cloud-native applications are made up of multiple loosely coupled components called microservices. This class of applications is generally developed through an agile software development life cycle (SDLC) paradigm called DevSecOps, which uses flow processes called continuous integration/continuous delivery (CI/CD) pipelines. Analyses of recent software attacks and vulnerabilities have led both government and private-sector organizations to focus on the activities involved in the entire SDLC. The collection of these activities is called the software supply chain (SSC). The integrity of these individual activities contributes to the overall security of an SSC. Threats can arise from attack vectors unleashed by malicious actors during SSC activities, as well as defects introduced when due diligence practices are not followed by legitimate actors during the SDLC.

Executive Order (EO) 14028, NIST’s Secure Software Development Framework (SSDF), other government initiatives, and industry forums have discussed the security of SSCs and provided a roadmap to enhance the security of all deployed software. NIST SP 800-204D uses this roadmap as the basis for developing actionable measures to integrate the various building blocks of SSC security assurance into CI/CD pipelines to enhance organizations' preparedness to address SSC security in the development and deployment of cloud-native applications. To demonstrate that the SSC security integration strategies for CI/CD pipelines meet the objectives of SSDF, a mapping of these strategies to the high-level practices in the SSDF has also been provided.

Related Topics

Security and Privacy: assurance, cybersecurity supply chain risk management, security programs & operations

Technologies: software & firmware

Laws and Regulations: Executive Order 14028

Created February 09, 2024, Updated February 12, 2024