[2/27/24, 11:00 AM EST] CSRC has been experiencing technical issues. If you are unable to access a CSRC page or resource, or get a 503 error, please try reloading the page several times--it may help to wait a few minutes before trying again. We apologize for the inconvenience, and hope to have a solution in place next week.
DevOps brings together software development and operations to shorten development cycles, allow organizations to be agile, and maintain the pace of innovation while taking advantage of cloud-native technology and practices. Industry and government have fully embraced and are rapidly implementing these practices to develop and deploy software in operational environments, often without a full understanding and consideration of security.
NIST held a virtual workshop in January 2021 on improving the security of DevOps practices; you can access the workshop recording and materials here. A second virtual workshop was held in September 2022 on the planned NCCoE DevSecOps project; the workshop recording and presentations are posted.
DevSecOps helps ensure that security is addressed as part of all DevOps practices by integrating security practices and automatically generating security and compliance artifacts throughout the process. This is important for several reasons, including:
In general, to advance current and emerging secure software development and operations practices, NIST plans to:
To help industry and government improve the security of their DevOps practices, NIST has initiated a DevSecOps project. This project will focus initially on developing and documenting an applied risk-based approach and recommendations for secure DevOps practices.
NIST’s proposed applied risk-based approach for the DevSecOps project is similar to the one recently used for the Secure Software Development Framework (SSDF) and the NIST Cybersecurity Framework. NIST's approach is intended to help enable organizations to maintain the velocity and volume of software delivery in a cloud-native way and take advantage of automated tools as an example of a use case.
There are many existing security guidance and practices publications from NIST and others, but they have not yet been put into the context of DevOps. Industry, standards developing organizations, and government agencies are currently planning and executing work related to DevSecOps. Leveraging those efforts to provide a community-developed set of recommended practices would help enable organizations to maintain the velocity and volume of software delivery in a cloud-native way and take advantage of automated tools as one of the major use cases. Updating affected NIST publications so they reflect DevOps principles would also help organizations to make better use of their recommendations.
NIST would focus its efforts on facilitating communications about DevSecOps among software producers (e.g., commercial-off-the-shelf vendors, government software developers, custom enterprise software developers, open source software developers), operators of the hosting platforms (e.g., enterprise and cloud service providers), and software consumers (e.g., federal government agencies and other organizations).
Principles that NIST would follow include:
Proposed initial activities within this DevSecOps project include:
Your comments and suggestions for the DevSecOps project are always welcome. Contact us at firstname.lastname@example.org.