Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST SP 800-204C (Initial Public Draft)

Implementation of DevSecOps for a Microservices-based Application with Service Mesh

Date Published: September 29, 2021
Comments Due: November 1, 2021 (public comment period is CLOSED)
Email Questions to:


Ramaswamy Chandramouli (NIST)


The newest generation of software applications—"cloud-native applications"—is a class with various functional layers, such as transaction logic, application services, infrastructure resources, policy enforcement, and monitoring of states. The unique architecture of this application class requires a more agile software life cycle paradigm, and DevSecOps (development, security, and operations) offers faster deployment and updates, while integrating security throughout the life cycle.

Draft NIST SP 800-204C provides guidance for the implementation of DevSecOps primitives for a reference platform hosting a cloud-native application with the functional layers described above. The guidance also discusses the benefits of this approach for high security assurance and enabling continuous authority to operate (C-ATO).

NOTE: A call for patent claims is included on page iii of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy--Inclusion of Patents in ITL Publications.



container orchestration and resource management platform; DevSecOps; CI/CD pipelines; infrastructure as code; policy as code; observability as code; GitOps; workflow models; static AST; dynamic AST; interactive AST; SCA
Control Families

None selected


Download URL

Supplemental Material:
None available

Document History:
09/29/21: SP 800-204C (Draft)
03/08/22: SP 800-204C (Final)