Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST SP 800-204A (Initial Public Draft)

Building Secure Microservices-based Applications Using Service-Mesh Architecture

Date Published: January 2020
Comments Due: February 14, 2020 (public comment period is CLOSED)
Email Questions to:


Ramaswamy Chandramouli (NIST), Zack Butcher (Tetrate)


As microservices-based applications are increasingly adopted within large enterprises and cloud-based environments, there is a need for a dedicated, scalable-supporting infrastructure that will allow for provisioning a comprehensive set of security services. Called Service Mesh, these security services include—but are not limited to—authentication, authorization, secure service discovery, secure communication, and security monitoring. The deployment of Service Mesh components to enable these services involves multiple configurations.

The purpose of Draft SP 800-204A is to provide deployment recommendations for Service Mesh components that span several runtime aspects of microservices-based applications to meet the security requirements for this class of application for various scenarios.

NOTE: A call for patent claims is included on page iv of this draft.  For additional information, see the Information Technology Laboratory (ITL) Patent Policy--Inclusion of Patents in ITL Publications.



API gateway; Application Programming Interface (API); circuit breaker; load balancing; microservices; Service Mesh; service proxy
Control Families

None selected


Download URL

Supplemental Material:
None available

Document History:
01/17/20: SP 800-204A (Draft)
05/27/20: SP 800-204A (Final)


Security and Privacy

access control, authentication


cloud & virtualization, networks