Guidelines for API Protection for Cloud-Native Systems | NIST Releases SP 800-228
June 27, 2025

NIST has published Special Publication (SP) 800-228, Guidelines for API Protection for Cloud-Native Systems.

Application programming interfaces (APIs) provide the means to integrate and communicate with modern enterprise IT application systems that support business processes. Hence, secure API development and deployment are critical for overall enterprise security. This, in turn, requires the identification of risk factors or vulnerabilities in various phases of the API life cycle and the development of controls or protection measures to prevent their exploitation.

To achieve that goal, this document:

1. Identifies and analyzes the risk factors or vulnerabilities that can be introduced during various activities of API development and at runtime,
2. Recommends basic and advanced controls and protection measures that span the entire API lifecycle (i.e., pre-runtime and runtime stages), and
3. Analyzes the advantages and disadvantages of various implementation options (i.e., patterns) for enforcing those controls to enable security practitioners to adopt an incremental, risk-based approach to choosing the most effective option for securing their APIs.