Date Published: July 2025
Comments Due:
Email Questions to:
Author(s)
Alper Kerman (NIST), Michael Ogata (NIST), Parisa Grayeli (MITRE), Phillip Millwee (MITRE), Allen Tan (MITRE), William Barker (Dakota Consulting), Sudan Ayanam (AMI), Stefano Righi (AMI), Al Bessey (Black Duck), Chrissa Constantine (Black Duck), Tim Mackey (Black Duck), Rahul Dubey (CyberArk), James Imanian (CyberArk), Evan Litwak (CyberArk), Daniel Carroll (Dell Technologies), Daniel Jackson (Dell Technologies), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Dave Roche (DigiCert), Tom Gleason (Endor Labs), Ron Harnik (Endor Labs), Karl Mattson (Endor Labs), Shruti Sundaresh (Endor Labs), Sameer Kamani (GitLab), Paul Pickhardt (GitLab), MaryGrace Wajda (GitLab), Isaac Hepworth (Google), Brandon Lum (Google), Leah Rivers (Google), Pradeep Balachandran (IBM), Jen Gilbert (IBM), Philippe Mulet (IBM), Ritchie Schacher (IBM), Harmeet Singh (IBM), Adrian Diglio (Microsoft), Toddy Mladenov (Microsoft), Segu Riluvan (Microsoft), Mark Svancarek (Microsoft), Tony Berning (NextLabs), Keng Lim (NextLabs), Sameer Shukla (NextLabs), Sean Morgan (Palo Alto Networks), Alfredo Motta (Palo Alto Networks), Norman Wong (Palo Alto Networks), Jose Palazon (Sagittal AI), Michael Smith (Sagittal AI), Rubi Arbel (Scribe Security), Daniel Nebenzah (Scribe Security), Nir Peleg (Scribe Security)
Announcement
The NCCoE is collaborating with 14 companies through the Software Supply Chain and DevOps Security Practices Consortium as part of NIST’s response to White House Executive Order (EO) 14306, Sustaining Select Efforts to Strengthen the Nation's Cybersecurity and Amending Executive Order 13694 and Executive Order 14144. As stipulated in the EO, NIST is directed to establish the consortium to develop guidance that demonstrates the implementation of best practices based on NIST’s Secure Software Development Framework (SSDF).
The NCCoE has just released the preliminary public draft Volume A of Secure Software Development, Security, and Operations (DevSecOps) Practices (NIST Special Publication (SP) 1800-44) for public comment. The current version provides a high-level overview of the project's scope; future guidance will include a detailed reference model and specific implementation guidance for each of the project’s planned use cases.
The NCCoE welcomes public comments on the preliminary draft guidance through September 14, 2025. The project team plans to release additional drafts of the guidance incrementally throughout the project, accompanied by public comment periods. Those interested can also join the NCCoE DevSecOps Community of Interest (COI) to stay up to date and collaborate on the project.
Development Operations (DevOps) bring together software development and operations to shorten development cycles, allow organizations to be agile and maintain the pace of innovation while taking advantage of cloud-native technology and practices and the increasing industry use of rapidly evolving artificial intelligence (AI) capabilities. Development, Security, Operations (DevSecOps) emphasizes this philosophy by continuously addressing security throughout all phases of the software development lifecycle. Modern software is the synthesis of a wide array of components and processes, some of which are under the direct control of the software producer while others are part of a large, interconnected, and often opaque supply chain. Much of the DevSecOps methodology relies on automated production flows, which can quickly propagate security risks directly into production if they are not caught and corrected early in the development process. To help improve the security of DevSecOps practices, the NCCoE is executing a project that focuses on demonstrating and documenting applied risk-based approaches and recommendations for DevSecOps practices consistent with the NIST Secure Software Development Framework (SSDF) [1][2]. This project demonstrates these DevSecOps practices by implementing example software development processes.
Development Operations (DevOps) bring together software development and operations to shorten development cycles, allow organizations to be agile and maintain the pace of innovation while taking advantage of cloud-native technology and practices and the increasing industry use of rapidly evolving...
See full abstract
Development Operations (DevOps) bring together software development and operations to shorten development cycles, allow organizations to be agile and maintain the pace of innovation while taking advantage of cloud-native technology and practices and the increasing industry use of rapidly evolving artificial intelligence (AI) capabilities. Development, Security, Operations (DevSecOps) emphasizes this philosophy by continuously addressing security throughout all phases of the software development lifecycle. Modern software is the synthesis of a wide array of components and processes, some of which are under the direct control of the software producer while others are part of a large, interconnected, and often opaque supply chain. Much of the DevSecOps methodology relies on automated production flows, which can quickly propagate security risks directly into production if they are not caught and corrected early in the development process. To help improve the security of DevSecOps practices, the NCCoE is executing a project that focuses on demonstrating and documenting applied risk-based approaches and recommendations for DevSecOps practices consistent with the NIST Secure Software Development Framework (SSDF) [1][2]. This project demonstrates these DevSecOps practices by implementing example software development processes.
Hide full abstract
Keywords
Cybersecurity supply chain risk management; DevOps; DevSecOps; Secure software development; Secure
70 Software Development Framework (SSDF); Software Supply Chain; Supply chain security
Control Families
None selected
