Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST SP 800-204D (Initial Public Draft)

Strategies for the Integration of Software Supply Chain Security in DevSecOps CI/CD pipelines

Date Published: August 30, 2023
Comments Due: October 13, 2023 (public comment period is CLOSED)
Email Questions to: sp800-204d-comments@nist.gov

Author(s)

Ramaswamy Chandramouli (NIST), Frederick Kautz (TestifySec), Santiago Torres Arias (Purdue University)

Announcement

Cloud-native applications are made up of multiple loosely coupled components called microservices. This class of applications is generally developed through an agile software development life cycle (SDLC) paradigm called DevSecOps, which uses flow processes called continuous integration/continuous delivery (CI/CD) pipelines. Analyses of recent software attacks and vulnerabilities have led both government and private-sector organizations to focus on the activities involved in the entire SDLC. The collection of these activities is called the software supply chain (SSC). The integrity of these individual operations contributes to the overall security of an SSC, and threats can arise from attack vectors unleashed by malicious actors as well as defects introduced when due diligence practices are not followed during the SDLC.

Executive Order (EO) 14028, NIST’s Secure Software Development Framework (SSDF), other government initiatives, and industry forums have addressed security assurance measures for SSCs to enhance the security of all deployed software. This document focuses on actionable measures to integrate the various building blocks of SSC security assurance into CI/CD pipelines to prepare organizations to address SSC security in the development and deployment of their cloud-native applications.

NOTE: A call for patent claims is included on page ii of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy – Inclusion of Patents in ITL Publications.

Abstract

Keywords

actor; artifact; attestation; CI/CD pipeline; package; provenance; repository; SBOM; SDLC; SLSA; software supply chain
Control Families

None selected

Documentation

Publication:
https://doi.org/10.6028/NIST.SP.800-204D.ipd
Download URL

Supplemental Material:
None available

Document History:
08/30/23: SP 800-204D (Draft)
02/12/24: SP 800-204D (Final)