Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Project Description

Software Supply Chain and DevOps Security Practices: Implementing a Risk-Based Approach to DevSecOps

Date Published: November 2022


Murugiah Souppaya (NIST), Michael Ogata (NIST), Paul Watrobski (NIST), Karen Scarfone (Scarfone Cybersecurity)



cloud-native technology; cybersecurity supply chain risk management; DevOps; DevSecOps; secure software development; Secure Software Development Framework (SSDF); supply chain security
Control Families

Assessment, Authorization and Monitoring; System and Services Acquisition; System and Communications Protection; System and Information Integrity


Project Description (pdf)

Supplemental Material:
Project homepage

Document History:
07/21/22: Project Description (Draft)
11/09/22: Project Description (Final)